CVE-2025-54806 is a cross-site scripting vulnerability identified in GROWI, Inc.'s GROWI product, specifically affecting versions 4.2.7 and earlier. The vulnerability resides in the page alert function, which improperly sanitizes user input embedded in URLs. When a logged-in user accesses a specially crafted URL containing malicious JavaScript code, the script executes within the context of the user's browser session. This XSS flaw allows attackers to perform actions such as stealing session cookies, conducting unauthorized operations on behalf of the user, or redirecting users to malicious sites. The vulnerability requires user interaction, as the victim must click or navigate to the malicious URL while authenticated. The CVSS 3.0 base score is 6.1, reflecting medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, but user interaction necessary. The scope is changed (S:C), indicating the vulnerability affects resources beyond the initially vulnerable component. Confidentiality and integrity impacts are low, while availability is unaffected. No public exploits have been reported yet, but the vulnerability poses a risk to organizations relying on GROWI for collaborative documentation and knowledge management. The lack of a patch link suggests that remediation may require vendor updates or manual mitigations. Organizations should monitor for updates and consider temporary mitigations such as input filtering or URL sanitization.

For European organizations, this vulnerability could lead to unauthorized access to sensitive internal documentation and user impersonation within GROWI instances. As GROWI is often used for collaborative knowledge management, exploitation could result in leakage of confidential business information or manipulation of critical operational data. The attack requires a logged-in user to interact with a malicious URL, making phishing or social engineering likely attack vectors. The medium severity indicates moderate risk; however, in sectors with high confidentiality requirements such as finance, healthcare, or government, the impact could be more significant. Additionally, compromised user sessions could facilitate lateral movement or further exploitation within corporate networks. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure. Organizations with remote or hybrid workforces may be more exposed due to increased URL sharing and external communications.

1. Upgrade GROWI to the latest version once a patch addressing CVE-2025-54806 is released by the vendor. 2. Until a patch is available, implement strict input validation and output encoding on the page alert function to sanitize URL parameters and prevent script injection. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the GROWI web application. 4. Educate users about the risks of clicking unsolicited or suspicious URLs, especially when logged into internal systems. 5. Monitor web server logs and user activity for unusual URL access patterns indicative of exploitation attempts. 6. Consider deploying web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting GROWI. 7. Review and limit the permissions of GROWI users to minimize potential damage from compromised accounts. 8. Regularly audit and update security configurations for internal collaboration tools to reduce attack surface.