Skip to content

Instantly share code, notes, and snippets.

polkaman / txt
Created Jul 9, 2019
CVE-2019-13337-13338 descriptions
View txt
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can
be bypassed by adding a URL parameter access_token (this is the
parameter used by the API). No valid token is required since it is not
validated by the backend. The website can then be browsed as if no
basic authentication is required.
You can’t perform that action at this time.