SB2022072089 - Multiple vulnerabilities in Cybozu Office

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022072089

SB2022072089 - Multiple vulnerabilities in Cybozu Office

Published: July 20, 2022

Security Bulletin ID SB2022072089
Severity
Medium
Patch available
YES
Number of vulnerabilities 12
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 17% Low 83%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 12 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2022-32283)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Cabinet. A remote user can bypass implemented security restrictions and obtain the data of Cabinet.


2) Improper Authorization (CVE-ID: CVE-2022-32544)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to operation restriction bypass in Project. A remote user can alter the data of Project.


3) Improper access control (CVE-ID: CVE-2022-29891)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Custom App. A remote user can bypass implemented security restrictions and obtain the data of Custom App.


4) Cross-site scripting (CVE-ID: CVE-2022-33151)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the specific parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


5) Cross-site scripting (CVE-ID: CVE-2022-28715)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the specific parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


6) Cross-site scripting (CVE-ID: CVE-2022-30604)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the specific parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


7) HTTP response splitting (CVE-ID: CVE-2022-32453)

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not corrector process CRLF character sequences. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.


8) Information disclosure (CVE-ID: CVE-2022-30693)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the system configuration. A remote attacker can gain unauthorized access to sensitive information on the system.


9) Improper Authorization (CVE-ID: CVE-2022-32583)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to operation restriction bypass in Scheduler. A remote user can alter the data of Scheduler.


10) Improper access control (CVE-ID: CVE-2022-25986)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Scheduler. A remote user can bypass implemented security restrictions and obtain the data of Scheduler.


11) Improper access control (CVE-ID: CVE-2022-33311)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Address Book. A remote user can bypass implemented security restrictions and obtain the data of Address Book.


12) Cross-site scripting (CVE-ID: CVE-2022-29487)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the specific parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


Remediation

Install update from vendor's website.

References