Japan Vulnerability NotesJVN:28869536JVN#28869536: Multiple vulnerabilities in Cybozu Garoon
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
17.8%
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
Improper handling of data in Mail (CWE-231) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Base Score 4.9 CVE-2024-31397 CyVDB-3167Improper restriction on the output of some API (CWE-201)CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score 4.3 CVE-2024-31398 CyVDB-3221Excessive resource consumption in Mail (CWE-1050)CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Base Score 4.3 CVE-2024-31399 CyVDB-3238Cross-site scripting vulnerability in Scheduler (CWE-79)CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N Base Score 6.9 CVE-2024-31401 CyVDB-3439Improper restriction on some operation in Shared To-Dos (CWE-863)CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score 4.3 CVE-2024-31402 CyVDB-3441Information disclosure in Mail (CWE-201)CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Base Score 4.3 CVE-2024-31400 CyVDB-3402Improper restriction on browsing and operation in Memo (CWE-863)CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Base Score 5.4 CVE-2024-31403 CyVDB-3151Browse restriction bypass in Scheduler (CWE-201) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score 4.3 CVE-2024-31404 CyVDB-3471
Impact
- A user who can log in to the product with the administrative privilege may be able to cause a denial-of-service (DoS) condition (CVE-2024-31397)
- A user who can log in to the product may obtain information on the list of users (CVE-2024-31398)
- Processing a crafted mail may cause a denial-of-service (DoS) condition (CVE-2024-31399)
- An arbitrary script may be executed on a logged-in user’s web browser (CVE-2024-31401)
- A user who can log in to the product may delete the data of Shared To-Dos (CVE-2024-31402)
- Unintended data may be left included to fowarded mail (CVE-2024-31400)
- A user who can log in to the product may alter and/or obtain the data of Memo (CVE-2024-31403)
- A user who can log in to the product may view the data of Scheduler (CVE-2024-31404)
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Products Affected
CVE-2024-31397, CVE-2024-31398, CVE-2024-31399, CVE-2024-31401, CVE-2024-31402
-
Cybozu Garoon 5.0.0 to 5.15.2
CVE-2024-31400 -
Cybozu Garoon 5.0.0 to 5.15.0
CVE-2024-31403 -
Cybozu Garoon 5.0.0 to 6.0.0
CVE-2024-31404 -
Cybozu Garoon 5.5.0 to 6.0.0
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
17.8%