CVE-2018-16205 in GROWI
Summary
by MITRE
Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via New Page modal.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/27/2020
The vulnerability identified as CVE-2018-16205 represents a critical cross-site scripting flaw within GROWI version 3.2.3 and earlier releases. This web application security weakness exists in the New Page modal functionality, creating an avenue for remote attackers to execute malicious code within the context of other users' browsers. The vulnerability stems from inadequate input validation and output encoding mechanisms that fail to properly sanitize user-supplied data before rendering it within the web interface.
This XSS vulnerability operates under CWE-79 which classifies it as a weakness related to improper neutralization of input during web output. The specific attack vector involves the New Page modal where user inputs are not sufficiently sanitized before being processed and displayed. Attackers can craft malicious payloads containing script tags or other HTML elements that get executed when other users view the affected pages. The vulnerability is particularly dangerous because it allows for persistent XSS attacks where malicious scripts can be stored on the server and executed whenever affected pages are accessed.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to steal session cookies, perform actions on behalf of users, redirect them to malicious sites, or extract sensitive information from the application. The attack requires no authentication and can be executed remotely, making it particularly attractive to threat actors. Users who have access to the GROWI application and view pages containing malicious content are automatically exposed to the attack without any additional interaction beyond normal browsing. This vulnerability particularly affects collaborative documentation environments where multiple users interact with shared content, amplifying the potential damage.
Security practitioners should implement comprehensive input validation and output encoding measures to address this vulnerability. The recommended mitigations include implementing proper HTML escaping for all user-supplied content, utilizing Content Security Policy headers to restrict script execution, and applying input sanitization filters that remove or encode potentially dangerous characters. Additionally, organizations should ensure that all GROWI instances are updated to versions that have addressed this vulnerability, as the maintainers have released patches to resolve the XSS weakness. The remediation efforts should also include regular security testing and code reviews to identify similar input validation issues throughout the application. This vulnerability aligns with ATT&CK technique T1566 which covers social engineering tactics including the use of malicious links or content to execute code in user browsers.