CVE-2023-47215 in GROWI
Summary
by MITRE • 12/26/2023
Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/19/2024
This stored cross-site scripting vulnerability represents a critical security flaw in the GROWI collaboration platform affecting versions prior to v6.0.0. The vulnerability stems from an insufficient implementation of the XSS filter mechanism, which fails to properly sanitize user input before storing and rendering content within the application's web interface. The flaw allows attackers to inject malicious scripts that persist in the application's database and execute whenever affected users access the compromised content, creating a stored XSS attack vector that can be exploited across multiple user sessions.
The technical implementation of this vulnerability involves the application's failure to adequately validate and sanitize user-supplied data during the content storage process. When users submit content containing malicious script payloads, the vulnerable XSS filter does not properly neutralize these inputs, allowing the malicious code to be stored in the application's database. This stored content is then rendered to other users who access the affected pages, causing the malicious script to execute within their browser context. The vulnerability operates at the application layer and affects the web interface directly, making it particularly dangerous as it can compromise user sessions and potentially escalate to more severe attacks.
From an operational impact perspective, this vulnerability exposes organizations using GROWI to significant risks including session hijacking, credential theft, and data exfiltration. Attackers can leverage the stored XSS to steal cookies, session tokens, and other sensitive information from authenticated users who access compromised content. The attack can be particularly devastating in collaborative environments where multiple users access shared documentation and wikis, as a single compromised page can affect numerous users. The vulnerability also potentially enables attackers to perform actions on behalf of users, such as creating malicious pages, modifying content, or redirecting users to phishing sites, all while remaining undetected within the application's normal operations.
Organizations should immediately implement multiple layers of defense to mitigate this vulnerability, beginning with urgent upgrade to GROWI v6.0.0 or later versions where the XSS filtering has been properly enhanced. Network-based protections such as web application firewalls should be configured to detect and block suspicious script patterns in HTTP requests, while also implementing proper input validation and output encoding mechanisms. Security teams should conduct thorough audits of all user-generated content to identify and remove any existing malicious payloads, and implement comprehensive monitoring to detect anomalous behavior patterns. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and represents a technique commonly categorized under ATT&CK tactic TA0001 (Initial Access) and technique T1531 (Account Access Removal) when used for session hijacking. Additionally, the vulnerability demonstrates characteristics of ATT&CK technique T1059 (Command and Scripting Interpreter) through the execution of malicious scripts in user browsers, and may facilitate further attacks through credential theft or privilege escalation.