CVE-2025-61994 is a cross-site scripting vulnerability identified in GROWI, a popular open-source collaborative documentation platform developed by GROWI, Inc. The flaw exists in versions prior to 7.2.10, where the application insufficiently sanitizes user-generated content on pages. An attacker with limited privileges can create or modify a page embedding crafted malicious scripts. When a victim user accesses this page, the embedded script executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or conduct further attacks such as phishing or malware delivery. The vulnerability requires the attacker to have some level of authenticated access to create or edit pages and requires the victim to interact by visiting the malicious page. The CVSS v3.0 score of 5.4 reflects a medium severity, with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality and integrity but not availability. No public exploits are known at this time, but the vulnerability poses a risk to organizations relying on GROWI for internal knowledge sharing and documentation, especially where sensitive information is stored or accessed. The vulnerability is mitigated in version 7.2.10 by improved input validation and output encoding to prevent script injection.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information, session hijacking, and unauthorized actions performed under the victim user's credentials. Organizations using GROWI for internal documentation, project management, or knowledge bases may face risks of data leakage or compromise of user accounts. This is particularly critical in sectors handling confidential or regulated data such as finance, healthcare, government, and critical infrastructure. The attack requires authenticated attacker access, limiting exposure to insider threats or compromised accounts. However, successful exploitation could facilitate lateral movement or privilege escalation within the organization. The lack of availability impact reduces the risk of denial-of-service but does not diminish the confidentiality and integrity concerns. Given no known exploits exist yet, the threat is currently moderate but could escalate if weaponized. European entities with extensive use of GROWI should consider this vulnerability a priority for patching to maintain compliance with data protection regulations like GDPR.

1. Upgrade all GROWI instances to version 7.2.10 or later immediately to apply the official patch addressing this XSS vulnerability. 2. Implement strict user access controls and limit page creation or editing privileges to trusted users only, reducing the risk of malicious content injection. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing GROWI pages. 4. Conduct regular security audits and code reviews of user-generated content handling to detect and remediate similar injection flaws. 5. Educate users about the risks of clicking on untrusted links or pages within the internal documentation platform. 6. Monitor logs for unusual page creation or modification activities that could indicate exploitation attempts. 7. Consider deploying web application firewalls (WAF) with rules targeting XSS attack patterns specific to GROWI. 8. If upgrading is delayed, temporarily disable or restrict page creation/editing features for non-administrative users as a stopgap measure.