Vulnerability Database

318,756

Total vulnerabilities in the database

CVE-2019-13337

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required.

Published: Jul 9, 2019
Updated: Nov 9, 2025
CVE: CVE-2019-13337
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-639
CWE-863

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
weseek / growi	-	3.5.0

https://gist.github.com/polkaman/d039fb5236a043907e44efc198d9161c

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo