Disclosure Date 2021/03/07

CVE-2021-20667

Stored Cross-site Scripting in GROWI

GROWIの格納型クロスサイトスクリプティング

Credit

stypr (@stereotype32)

Affected-Versions

  • 4.2.2 and earlier

CWE

CWE-79

Description

Inadequate CSP (Content Security Policy) configuration allows a remote attacker to execute an arbitrary script on the web browser of the user who accesses an attached file containing a specially crafted content.

Product-URLs

https://growi.org/

Back