Published:2014/01/28 Last Updated:2014/01/28
JVN#91153528
Multiple SQL injection vulnerabilities in Cybozu Garoon
Overview
Cybozu Garoon contains multiple SQL injection vulnerabilities.
Note that this vulnerability is different from
JVN#60997973.
Products Affected
- Cybozu Garoon version 3.7 Service Pack 2 and earlier
Description
Cybozu Garoon contains issues in the process of page navigation link and input through API, which may result in SQL injection.
Impact
A user who can log in to the system may obtain or alter data in the database.
Solution
Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Cybozu, Inc. | Vulnerable | 2014/01/28 | Cybozu, Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.01.28
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | login caused to be created by an administrator |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes | |
| CVE |
CVE-2013-6930 |
|
CVE-2013-6931 |
|
| JVN iPedia |
JVNDB-2014-000010 |