Multiple vulnerabilities in Cybozu Office



Published: 2021-03-15
Risk Low
Patch available YES
Number of vulnerabilities 11
CVE-ID CVE-2021-20624
CVE-2021-20625
CVE-2021-20626
CVE-2021-20627
CVE-2021-20628
CVE-2021-20629
CVE-2021-20630
CVE-2021-20631
CVE-2021-20632
CVE-2021-20633
CVE-2021-20634
CWE-ID CWE-264
CWE-79
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Cybozu Office
Other software / Other software solutions

Vendor Cybozu

Security Bulletin

This security bulletin contains information about 11 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51459

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20624

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Scheduler. A remote authenticated attacker can alter the data of Scheduler without appropriate privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51460

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20625

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Bulletin Board. A remote authenticated attacker can alter the data of Bulletin Board without appropriate privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51461

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20626

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Workflow. A remote authenticated attacker can alter the data of Workflow without appropriate privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Cross-site scripting

EUVDB-ID: #VU51462

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20627

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Address Book. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Cross-site scripting

EUVDB-ID: #VU51463

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20628

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Address Book. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Cross-site scripting

EUVDB-ID: #VU51464

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20629

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in E-mail. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51465

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20630

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Phone Messages. A remote authenticated attacker can obtain the data of Phone Messages without the viewing privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51466

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20631

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Custom App. A remote authenticated attacker can obtain the data of Bulletin Board without the viewing privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51467

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20632

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Bulletin Board. A remote authenticated attacker can obtain the data of Bulletin Board without the viewing privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51468

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20633

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Cabine. A remote authenticated attacker can obtain the data of Cabinet without the viewing privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51469

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20634

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in Custom App. A remote authenticated attacker can obtain the data of Custom App without the viewing privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cybozu Office: 10.0.0 - 10.8.4


CPE2.3 External links

http://jvn.jp/en/jp/JVN45797538/index.html
http://cs.cybozu.co.jp/2021/007306.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###