Описание
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required.
Ссылки
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 3.5.0 (исключая)
cpe:2.3:a:weseek:growi:*:*:*:*:*:*:*:*
EPSS
Процентиль: 46%
0.00232
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-639
Связанные уязвимости
CVSS3: 7.5
github
больше 3 лет назад
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required.
EPSS
Процентиль: 46%
0.00232
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-639