SB2019121705 - Multiple vulnerabilities in Cybozu Office

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2019-6022)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the "Customapp" function. A remote authenticated attacker can send a specially crafted HTTP request and alter arbitrary files on the server.

2) Improper access control (CVE-ID: CVE-2019-6023)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the "Address" application. A remote authenticated attacker can bypass implemented security restrictions and obtain data without access privileges.

Remediation

Install update from vendor's website.

References

• https://jvn.jp/en/jp/JVN79854355/index.html
• https://cs.cybozu.co.jp/2019/006976.html