View txt
CVE-2019-13337 | |
[Description] | |
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can | |
be bypassed by adding a URL parameter access_token (this is the | |
parameter used by the API). No valid token is required since it is not | |
validated by the backend. The website can then be browsed as if no | |
basic authentication is required. |