Japan Vulnerability NotesJVN:45797538JVN#45797538: Multiple vulnerabilities in Cybozu Office
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
47.1%
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
[CyVDB-1657] Operational restrictions bypass vulnerability in Scheduler (CWE-264) - CVE-2021-20624
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:L/Au:S/C:N/I:P/A:N | Base Score: 4.0 |
[CyVDB-1727] Operational restrictions bypass vulnerability in Bulletin Board (CWE-264) - CVE-2021-20625
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:L/Au:S/C:N/I:P/A:N | Base Score: 4.0 |
[CyVDB-1895][CyVDB-2658] Operational restrictions bypass vulnerability in Workflow (CWE-264) - CVE-2021-20626
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:L/Au:S/C:N/I:P/A:N | Base Score: 4.0 |
[CyVDB-1899] Cross-site scripting vulnerability in Address Book (CWE-79) - CVE-2021-20627
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 4.7 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
[CyVDB-1924] Cross-site scripting vulnerability in Address Book (CWE-79) - CVE-2021-20628
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 4.7 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
[CyVDB-2014] Cross-site scripting vulnerability in E-mail (CWE-79) - CVE-2021-20629
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 4.7 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
[CyVDB-2018] Viewing restrictions bypass vulnerability in Phone Messages (CWE-264) - CVE-2021-20630
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:L/Au:S/C:P/I:N/A:N | Base Score: 4.0 |
[CyVDB-2063] Improper input validation vulnerability in Custom App (CWE-20) - CVE-2021-20631
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:L/Au:S/C:N/I:N/A:P | Base Score: 4.0 |
[CyVDB-2263] Viewing restrictions bypass vulnerability in Bulletin Board (CWE-264) - CVE-2021-20632
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:L/Au:S/C:P/I:N/A:N | Base Score: 4.0 |
[CyVDB-2310] Viewing restrictions bypass vulnerability in Cabinet (CWE-264) - CVE-2021-20633
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:L/Au:S/C:P/I:N/A:N | Base Score: 4.0 |
[CyVDB-2764] Viewing restrictions bypass vulnerability in Custom App (CWE-264) - CVE-2021-20634
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:L/Au:S/C:P/I:N/A:N | Base Score: 4.0 |
[CyVDB-1900] Cross-site scripting vulnerability in Address Book (CWE-79) - CVE-2021-20849
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 4.7 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Impact
- [CyVDB-1657]:
A user who can log in to the product may alter the data of Scheduler without appropriate privileges. - [CyVDB-1727]:
A user who can log in to the product may alter the data of Bulletin Board without appropriate privileges. - [CyVDB-1895] and [CyVDB-2658]:
A user who can log in to the product may alter the data of Workflow without appropriate privileges. - [CyVDB-1899], [CyVDB-1924], [CyVDB-2014] and [CyVDB-1900]:
An arbitrary script may be executed on a logged-in user’s web browser. Note that [CyVDB-1924] issue only occurs when using Mozilla firefox. - [CyVDB-2018]:
A user who can log in to the product may obtain the data of Phone Messages without the viewing privileges. - [CyVDB-2063]:
A user who can log in to the product may alter the data of Custom App. - [CyVDB-2263]:
A user who can log in to the product may obtain the data of Bulletin Board without the viewing privileges. - [CyVDB-2310]:
A user who can log in to the product may obtain the data of Cabinet without the viewing privileges. - [CyVDB-2764]:
A user who can log in to the product may obtain the data of Custom App without the viewing privileges.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Products Affected
- Cybozu Office 10.0.0 to 10.8.4
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
47.1%