Skip to content

Instantly share code, notes, and snippets.

@polkaman
polkaman / txt
Created Jul 9, 2019
CVE-2019-13337-13338 descriptions
View txt
CVE-2019-13337
[Description]
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can
be bypassed by adding a URL parameter access_token (this is the
parameter used by the API). No valid token is required since it is not
validated by the backend. The website can then be browsed as if no
basic authentication is required.
You can’t perform that action at this time.