CVE-2023-45740 is a stored cross-site scripting (XSS) vulnerability identified in WESEEK, Inc.'s GROWI software versions prior to 4.1.3. The vulnerability arises from improper sanitization or validation of profile images processed by the application, allowing an attacker to inject arbitrary scripts that are stored persistently on the server. When a user accesses a page containing the maliciously crafted profile image, the embedded script executes in the context of the victim's browser. This can lead to unauthorized actions such as session hijacking, theft of sensitive information, or manipulation of the web interface. The vulnerability requires that the attacker have at least limited privileges (PR:L) to upload or modify profile images, and user interaction is necessary (UI:R) for the malicious script to execute, i.e., a user must view the affected page. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), user interaction required (UI:R), and impacts limited to confidentiality and integrity (C:L/I:L) without affecting availability. The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. No known exploits in the wild have been reported as of the publication date (December 26, 2023).

For European organizations using GROWI versions prior to 4.1.3, this vulnerability poses a moderate risk primarily to confidentiality and integrity of information. Since GROWI is a collaborative documentation platform, exploitation could allow attackers to execute scripts that steal session tokens, perform actions on behalf of users, or manipulate displayed content. This could lead to unauthorized disclosure of sensitive corporate knowledge, internal communications, or intellectual property. The requirement for attacker privileges to upload profile images limits the attack surface to insiders or compromised accounts, but the potential for lateral movement or privilege escalation exists if attackers leverage this vulnerability in combination with other weaknesses. The impact on availability is negligible. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) may face compliance risks if sensitive data is exposed. Additionally, the cross-site scripting nature of the vulnerability could be used as a vector for phishing or social engineering campaigns targeting employees. Given the collaborative nature of GROWI, the risk of reputational damage and operational disruption due to trust erosion is also relevant.

European organizations should prioritize upgrading GROWI installations to version 4.1.3 or later, where this vulnerability is patched. Until upgrades can be performed, organizations should implement strict access controls to limit who can upload or modify profile images, ideally restricting this capability to trusted administrators. Employing web application firewalls (WAFs) with custom rules to detect and block suspicious script payloads in profile image uploads can provide interim protection. Additionally, organizations should enforce Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Regular auditing of user accounts and monitoring for anomalous profile image changes can help detect exploitation attempts. User education to recognize phishing attempts that might leverage this vulnerability is also recommended. Finally, integrating vulnerability scanning and penetration testing focused on XSS vectors in GROWI deployments will help identify residual risks.