Hey ammamad, I've emailed the maintainers for you.

We will fix it. Please wait the next release.

Thanks for reporting the vulnerability. It has already been fixed and released on v4.8.8. Thank you.

At the request of Kaori Tokashiki, we have gone ahead and assigned and published CVE-2021-3852.

If you have any further questions don't hesitate to get in touch.

@admin Hi, thanks for publishing the CVE.

By the way, e-mail automatic delivery system seems to be set to “vuls@jpcert.or.jp” which is different organization from GROWI project. Could you replace it to “ml-jvn-growi@weseek.co.jp”?

Sorry, I made a mistake on the comment 3 before. The released version is v4.4.8 not v4.8.8.

@maintainer - you are welcome!

We can replace it, however, I attempted sending an e-mail to this new address yesterday, and it failed to deliver?

I will try another test e-mail now if that is okay.

Just tried and I receive this error from our e-mail provider:

550 5.1.1 The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces.

@admin Could you try it again with "ml-jvn-growi@weseek.co.jp"?

↑please ignore the comment. @admin Could you try it again with "ml-jvm-growi@weseek.co.jp"?

It looks like that one was sent, can you confirm that you received this e-mail? After, we can go ahead and update the contact details for future notifications and reports.

I replied to your email just now. Please check.

I received it - shall I go ahead and update your contact address to this new e-mail?