JVN#62618482
Multiple vulnerabilities in Cybozu Garoon

Overview

Cybozu Garoon contains multiple vulnerabilities.

Products Affected

CVE-2019-5975

• Cybozu Garoon 4.6.0 to 4.10.2

• Cybozu Garoon 4.0.0 to 4.10.2

Description

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

• DOM-based cross-site scripting in the application "Portal" (CWE-79) - CVE-2019-5975

  CVSS v3	CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N	Base Score: 4.4
  CVSS v2	AV:N/AC:H/Au:M/C:N/I:P/A:N	Base Score: 1.7

• Denial-of-service (DoS) (CWE-20) - CVE-2019-5976

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H	Base Score: 4.9
  CVSS v2	AV:N/AC:L/Au:S/C:N/I:N/A:P	Base Score: 4.0

• Mail header injection in the application "E-mail" (CWE-74) - CVE-2019-5977

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	Base Score: 4.3
  CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:N	Base Score: 4.0

• Open redirect in the application "Scheduler" (CWE-601) - CVE-2019-5978

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N	Base Score: 4.7
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Impact

• An arbitrary script may be executed on the logged in user's web browser while accessing a malicious web page - CVE-2019-5975
• A denial-of-service (DoS) condition may be caused if an attacker with administrative privileges alters session authentication data - CVE-2019-5976
• Mail with an altered header by a user may be sent - CVE-2019-5977
• A user may be redirected to an arbitrary website if accessing a specially crafted URL - CVE-2019-5978

Solution

Update the Software
Update to the latest version according to the information provided by the developer.