CVE-2023-50294

EUVD-2023-55102
The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Affected Products (NVD)
VendorProductVersion
weseekgrowi
𝑥
< 6.0.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://jvn.jp/en/jp/JVN18715935/
https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/
https://jvn.jp/en/jp/JVN18715935/
https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/