Published:2021/09/30  Last Updated:2022/04/25

JVN#52694228
Multiple vulnerabilities in Cybozu Remote Service

Overview

Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

CVE-2021-20795, CVE-2021-20798, CVE-2021-20799, CVE-2021-20801, CVE-2021-20802, CVE-2021-20803, CVE-2021-20804

  • Cybozu Remote Service 3.1.8 to 3.1.9
CVE-2021-20796, CVE-2021-20797, CVE-2021-20800
  • Cybozu Remote Service 3.1.8
CVE-2021-20805
  • Cybozu Remote Service 3.1.7 to 3.1.9
CVE-2021-20806, CVE-2021-20807
  • Cybozu Remote Service 3.0.0 to 3.1.9
CVE-2022-26838
  • Cybozu Remote Service 3.1.2

Description

Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

  • [CyVDB-525] Cross-site request forgery vulnerability in the management screen (CWE-352) - CVE-2021-20795
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Base Score: 6.5
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • [CyVDB-1742] Path traversal vulnerability in the management screen (CWE-22) - CVE-2021-20796
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L Base Score: 4.2
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:P Base Score: 4.9
  • [CyVDB-1806] Cross-site script inclusion vulnerability in the management screen (CWE-829) - CVE-2021-20797
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:H/Au:S/C:N/I:P/A:N Base Score: 2.1
  • [CyVDB-1808] Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2021-20798
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
  • [CyVDB-1809] Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2021-20799
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
  • [CyVDB-1810] Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2021-20800
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
  • [CyVDB-1811] XML external entity injection (XXE) vulnerability (CWE-611) - CVE-2021-20801
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
  • [CyVDB-1814] HTTP header injection vulnerability (CWE-113) - CVE-2021-20802
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • [CyVDB-1820] Operation restriction bypass in the management screen (CWE-264) - CVE-2021-20803
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base Score: 5.4
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:P Base Score: 5.5
  • [CyVDB-1830] Denial-of-service (DoS) vulnerability (CWE-400) - CVE-2021-20804
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H Base Score: 5.3
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:N/A:C Base Score: 6.3
  • [CyVDB-1862] Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2021-20805
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
  • [CyVDB-1968] Open redirect vulnerability (CWE-601) - CVE-2021-20806
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 3.4
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • [CyVDB-2028] Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2021-20807
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • [CyVDB-877] Path traversal vulnerability in Importing Mobile Device Data (CWE-22) - CVE-2022-26838
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:N/A:P Base Score: 5.0

Impact

  • [CyVDB-525]:
    If a user views a malicious page while logged in, unintended operations may be performed.
  • [CyVDB-1742]:
    A user who can log in to the product may upload an arbitrary file.
  • [CyVDB-1806], [CyVDB-1811]:
    A user who can log in to the product may obtain the information stored in the product. Note that [CyVDB-1806] issue only occurs when using Mozilla firefox.
  • [CyVDB-1808], [CyVDB-1809], [CyVDB-1810], [CyVDB-1862], [CyVDB-2028]:
    An arbitrary script may be executed on a logged-in user's web browser.
  • [CyVDB-1814]:
    A remote attacker may alter the information stored in the product.
  • [CyVDB-1820]:
    A user who can log in to the product may alter the data of the management screen.
  • [CyVDB-1830], [CyVDB-877]:
    A user who can log in to the product may be able to cause a denial-of-service (DoS) condition.
  • [CyVDB-1968]:
    When accessing a specially crafted URL, the user may be redirected to an arbitrary website.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Cybozu, Inc. Vulnerable 2022/04/25 Cybozu, Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2021-20795
Masaaki Chida reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of the solution through JVN.

CVE-2021-20796, CVE-2021-20807
Toshitsugu Yoneyama(Mitsui Bussan Secure Directions, Inc.) reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

CVE-2021-20805
Yuji Tounai reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of the solution through JVN.

CVE-2021-20806
Kanta Nishitani of Ierae Security Inc. reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of the solution through JVN.

CVE-2021-20797, CVE-2021-20798, CVE-2021-20799, CVE-2021-20800, CVE-2021-20801, CVE-2021-20802, CVE-2021-20803, CVE-2021-20804, CVE-2022-26838
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.

Update History

2022/04/25
"CyVDB-877" added to [Products Affected], [Description] and [Impact], another CVE information added to [Other Information], and [Credit] updated.
2022/04/25
Cybozu, Inc. update status