Skip to main content

Growi CVE-2019-13338

HIGH
Missing Authentication for Critical Function (CWE-306)
2019-07-09 cve@mitre.org
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 09, 2019 - 20:15 nvd
HIGH 7.5

DescriptionNVD

In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. In other words, the password hash can be retrieved even though it is not a publicly available field.

AnalysisAI

In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authentication for Critical Function (CWE-306), which allows attackers to access critical functionality without authentication. In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. In other words, the password hash can be retrieved even though it is not a publicly available field. Affected products include: Weseek Growi. Version information: before 3.5.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Require authentication for all sensitive operations, implement defense in depth.

More in Growi

View all
CVE-2021-20736 CRITICAL
9.1 Jun 22

NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the inf

CVE-2019-5968 HIGH
8.8 Jul 05

Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authen

CVE-2026-41040 HIGH
8.7 Apr 23

Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust serv

CVE-2026-25083 HIGH
8.7 Mar 16

Cross-user data exposure and tampering in GROWI v7.4.5 and earlier allows any authenticated user who learns a shared AI

CVE-2026-41951 HIGH
8.6 May 11

Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates

CVE-2021-20670 HIGH
7.5 Mar 10

Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to r

CVE-2020-5683 HIGH
7.5 Dec 16

Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1

CVE-2020-5682 HIGH
7.5 Dec 16

Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series)

CVE-2020-5676 HIGH
7.5 Dec 03

GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vec

CVE-2019-13337 HIGH
7.5 Jul 09

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token

CVE-2021-20671 HIGH
7.2 Mar 10

Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative priv

CVE-2023-50332 MEDIUM
6.5 Dec 26

Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6

Share

CVE-2019-13338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy