Every CVE whose affected-product data names Weseek Growi, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (43)
CVE-2021-20736 — CVSS 9.1 (critical): NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in…
CVE-2019-5968 — CVSS 8.8 (high): Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of…
CVE-2021-20670 — CVSS 7.5 (high): Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's…
CVE-2019-13337 — CVSS 7.5 (high): In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the…
CVE-2019-13338 — CVSS 7.5 (high): In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API…
CVE-2020-5683 — CVSS 7.5 (high): Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI…
CVE-2020-5682 — CVSS 7.5 (high): Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3…
CVE-2020-5676 — CVSS 7.5 (high): GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors.
CVE-2021-20671 — CVSS 7.2 (high): Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite…
CVE-2021-20737 — CVSS 6.5 (medium): Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without…
CVE-2023-50332 — CVSS 6.5 (medium): Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this…
CVE-2023-50294 — CVSS 6.5 (medium): The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the…
CVE-2022-41799 — CVSS 6.5 (medium): Improper access control vulnerability in GROWI prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series) allows a remote…
CVE-2021-20619 — CVSS 6.1 (medium): Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script…
CVE-2025-54806 — CVSS 6.1 (medium): GROWI v4.2.7 and earlier contains a cross-site scripting vulnerability in the page alert function. If a user accesses a crafted URL while…
CVE-2021-20672 — CVSS 6.1 (medium): Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters in GROWI (v4.2 Series) versions from…
CVE-2021-20829 — CVSS 6.1 (medium): Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to…
CVE-2018-0654 — CVSS 6.1 (medium): Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the…
CVE-2018-0653 — CVSS 6.1 (medium): Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki…
CVE-2020-5678 — CVSS 6.1 (medium): Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified…
CVE-2020-5677 — CVSS 6.1 (medium): Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified…
CVE-2019-5969 — CVSS 6.1 (medium): Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct…
CVE-2023-49807 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. If this vulnerability is…
CVE-2018-0698 — CVSS 5.4 (medium): Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via…
CVE-2018-16205 — CVSS 5.4 (medium): Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page…
CVE-2021-20667 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and…
CVE-2023-47215 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If…
CVE-2023-49119 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an…
CVE-2023-49598 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this…
CVE-2023-49779 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited…
CVE-2023-50175 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and…
CVE-2023-50339 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. If this…
CVE-2023-42436 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is…
CVE-2023-45737 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of…
CVE-2023-45740 — CVSS 5.4 (medium): Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is…
CVE-2021-20673 — CVSS 4.8 (medium): Stored cross-site scripting vulnerability in Admin Page of GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote authenticated…
CVE-2018-0655 — CVSS 4.8 (medium): Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or…
CVE-2018-0652 — CVSS 4.8 (medium): Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or…
CVE-2021-20669 — CVSS 4.7 (medium): Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an…
CVE-2023-46699 — CVSS 4.3 (medium): Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. If a user views a…
CVE-2021-20668 — CVSS 2.7 (low): Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path…