CVE-2019-13337

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-13337

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13337.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-13337

Published

2019-07-09T20:15:10.713Z

Modified

2026-04-10T04:15:37.203853Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required.

References

https://gist.github.com/polkaman/d039fb5236a043907e44efc198d9161c

Affected packages

Git / github.com/weseek/growi

Affected ranges

Type

GIT

Repo

https://github.com/weseek/growi

Events

Introduced

Fixed

03aa1ac03698678f3a510be5cc875b2b9ff82020

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.5.0"
        }
    ]
}

Affected versions

1.*

1.0.0-RC3

v1.*

v1.0.0-RC

v1.0.0-RC2

v1.0.0-RC4

v1.3.0

v1.3.1

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.6.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13337.json"