Published:2019/12/17  Last Updated:2019/12/17

JVN#79854355
Multiple vulnerabilities in Cybozu Office

Overview

Cybozu Office contains multiple vulnerabilities.

Products Affected

  • Cybozu Office 10.0.0 to 10.8.3

Description

Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

  • Directory traversal in the "Customapp" function (CWE-22) - CVE-2019-6022
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N Base Score: 7.7
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
  • Browse restriction bypass in the application "Address" (CWE-284) - CVE-2019-6023
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0

Impact

  • A user who can use "Customapp" function may alter arbitrary files on the server - CVE-2019-6022
  • A user who can login to the product may obtain data without access privileges - CVE-2019-6023

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Cybozu, Inc. Vulnerable 2019/12/17 Cybozu, Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Two vulnerabilities were reported by the following persons to Cybozu, Inc. directly, and Cybozu Inc. reported the vulnerabilities to JPCERT/CC to notify users of the solution through JVN.

CVE-2019-6022 by Shoji Baba
CVE-2019-6023 by Tanghaifeng

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-6022
CVE-2019-6023
JVN iPedia JVNDB-2019-000076