Published:2021/03/15 Last Updated:2021/12/17
JVN#45797538
Multiple vulnerabilities in Cybozu Office
Overview
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities.
Products Affected
- Cybozu Office 10.0.0 to 10.8.4
Description
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
- [CyVDB-1657] Operational restrictions bypass vulnerability in Scheduler (CWE-264) - CVE-2021-20624
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0 - [CyVDB-1727] Operational restrictions bypass vulnerability in Bulletin Board (CWE-264) - CVE-2021-20625
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0 - [CyVDB-1895][CyVDB-2658] Operational restrictions bypass vulnerability in Workflow (CWE-264) - CVE-2021-20626
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0 - [CyVDB-1899] Cross-site scripting vulnerability in Address Book (CWE-79) - CVE-2021-20627
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 4.7 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - [CyVDB-1924] Cross-site scripting vulnerability in Address Book (CWE-79) - CVE-2021-20628
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 4.7 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - [CyVDB-2014] Cross-site scripting vulnerability in E-mail (CWE-79) - CVE-2021-20629
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 4.7 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - [CyVDB-2018] Viewing restrictions bypass vulnerability in Phone Messages (CWE-264) - CVE-2021-20630
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0 - [CyVDB-2063] Improper input validation vulnerability in Custom App (CWE-20) - CVE-2021-20631
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:N/I:N/A:P Base Score: 4.0 - [CyVDB-2263] Viewing restrictions bypass vulnerability in Bulletin Board (CWE-264) - CVE-2021-20632
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0 - [CyVDB-2310] Viewing restrictions bypass vulnerability in Cabinet (CWE-264) - CVE-2021-20633
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0 - [CyVDB-2764] Viewing restrictions bypass vulnerability in Custom App (CWE-264) - CVE-2021-20634
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0 - [CyVDB-1900] Cross-site scripting vulnerability in Address Book (CWE-79) - CVE-2021-20849
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 4.7 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Impact
- [CyVDB-1657]:
A user who can log in to the product may alter the data of Scheduler without appropriate privileges. - [CyVDB-1727]:
A user who can log in to the product may alter the data of Bulletin Board without appropriate privileges. - [CyVDB-1895] and [CyVDB-2658]:
A user who can log in to the product may alter the data of Workflow without appropriate privileges. - [CyVDB-1899], [CyVDB-1924], [CyVDB-2014] and [CyVDB-1900]:
An arbitrary script may be executed on a logged-in user's web browser. Note that [CyVDB-1924] issue only occurs when using Mozilla firefox. - [CyVDB-2018]:
A user who can log in to the product may obtain the data of Phone Messages without the viewing privileges. - [CyVDB-2063]:
A user who can log in to the product may alter the data of Custom App. - [CyVDB-2263]:
A user who can log in to the product may obtain the data of Bulletin Board without the viewing privileges. - [CyVDB-2310]:
A user who can log in to the product may obtain the data of Cabinet without the viewing privileges. - [CyVDB-2764]:
A user who can log in to the product may obtain the data of Custom App without the viewing privileges.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Cybozu, Inc. | Vulnerable | 2021/12/17 | Cybozu, Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
CVE-2021-20624, CVE-2021-20625 and CVE-2021-20629
Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.
CVE-2021-20627, CVE-2021-20628 and CVE-2021-20849
Kanta Nishitani of Ierae Security Inc. reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.
CVE-2021-20630 and CVE-2021-20631
Shuichi Uruma reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.
CVE-2021-20626, CVE-2021-20632, CVE-2021-20633 and CVE-2021-20634
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20624 |
|
CVE-2021-20625 |
|
|
CVE-2021-20626 |
|
|
CVE-2021-20627 |
|
|
CVE-2021-20628 |
|
|
CVE-2021-20629 |
|
|
CVE-2021-20630 |
|
|
CVE-2021-20631 |
|
|
CVE-2021-20632 |
|
|
CVE-2021-20633 |
|
|
CVE-2021-20634 |
|
|
CVE-2021-20849 |
|
| JVN iPedia |
JVNDB-2021-000022 |
Update History
- 2021/12/17
- Added information of "CyVDB-1900" to [Description] and [Impact], added the CVE information to [Other Information] and updated [Credit] information.
- 2021/12/17
- Cybozu, Inc. update status