Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) issue in GROWI versions 4.2.7 and earlier, specifically in the page alert function. It occurs because the application improperly handles user input from URL query parameters, allowing an attacker to craft a URL that executes arbitrary JavaScript code in the web browser of a logged-in user who clicks the URL. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to the execution of arbitrary scripts in the user's browser, potentially causing loss of confidentiality and integrity of data. An attacker could exploit this to steal sensitive information or manipulate data within the affected GROWI instance. However, it does not impact availability. Exploitation requires the user to interact by clicking a crafted URL while logged in. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your GROWI instance is running version 4.2.7 or earlier, as these versions contain the reflected XSS vulnerability in the page alert function. Detection can involve verifying the version of GROWI deployed. Additionally, testing for the vulnerability could involve accessing a crafted URL with malicious script payloads in the alert function's URL parameters while logged in, to see if arbitrary scripts execute. However, no specific detection commands are provided in the resources. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update GROWI to version 4.2.8 or later, where the issue has been fixed. Users running affected versions are strongly advised to upgrade as soon as possible to prevent exploitation of the cross-site scripting vulnerability. [1, 2]

Useful 0 Not Useful 0