Main Vulnerability Database Vulnerabilities #VU35733

Improper Authentication in GROWI - CVE-2019-13337

Published: July 9, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU35733

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-13337

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: WESEEK, Inc.

Affected software:
GROWI

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required.

How to mitigate CVE-2019-13337

Install update from vendor's website.

Sources

https://gist.github.com/polkaman/d039fb5236a043907e44efc198d9161c

Improper Authentication in GROWI - CVE-2019-13337

Detailed vulnerability description

How to mitigate CVE-2019-13337

Sources

Please verify you're human