JVN#20573662
Multiple vulnerabilities in Cybozu Office
Overview
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities.
Products Affected
- Cybozu Office 10.0.0 to 10.8.5
Description
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
- [CyVDB-839][CyVDB-2300][CyVDB-3109] Browse restriction bypass vulnerability in Cabinet (CWE-284) - CVE-2022-32283
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0 - [CyVDB-1795] Operation restriction bypass vulnerability in Project (CWE-285) - CVE-2022-32544
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0 - [CyVDB-1800][CyVDB-2798][CyVDB-2927] Browse restriction bypass vulnerability in Custom App (CWE-284) - CVE-2022-29891
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0 - [CyVDB-1849] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-33151
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - [CyVDB-1851][CyVDB-1856][CyVDB-1873][CyVDB-1944][CyVDB-2173] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-28715
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - [CyVDB-1859] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-30604
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - [CyVDB-2030] HTTP header injection vulnerability (CWE-113) - CVE-2022-32453
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - [CyVDB-2152][CyVDB-2153][CyVDB-2154][CyVDB-2155] Information disclosure vulnerability in the system configuration (CWE-200) - CVE-2022-30693
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3 CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0 - [CyVDB-2693] Operation restriction bypass vulnerability in Scheduler (CWE-285) - CVE-2022-32583
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0 - [CyVDB-2695][CyVDB-2819] Browse restriction bypass vulnerability in Scheduler (CWE-284) - CVE-2022-25986
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0 - [CyVDB-2770] Browse restriction bypass vulnerability in Address Book (CWE-284) - CVE-2022-33311
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0 - [CyVDB-2939] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-29487
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Impact
- [CyVDB-839], [CyVDB-2300], [CyVDB-3109]:
A user who can log in to the product may obtain the data of Cabinet. - [CyVDB-1795]:
A user who can log in to the product may alter the data of Project. - [CyVDB-1800], [CyVDB-2798], [CyVDB-2927]:
A user who can log in to the product may obtain the data of Custom App. - [CyVDB-1849], [CyVDB-1851], [CyVDB-1856], [CyVDB-1859], [CyVDB-1873], [CyVDB-1944], [CyVDB-2173], [CyVDB-2939]:
An arbitrary script may be executed on a logged-in user's web browser. - [CyVDB-2030]:
A remote attacker may obtain and/or alter the data of the product. - [CyVDB-2152], [CyVDB-2153], [CyVDB-2154], [CyVDB-2155]:
A remote attacker may obtain the data of the product. - [CyVDB-2693]:
A user who can log in to the product may alter the data of Scheduler. - [CyVDB-2695], [CyVDB-2819]:
A user who can log in to the product may obtain the data of Scheduler. - [CyVDB-2770]:
A user who can log in to the product may obtain the data of Address Book.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
Cybozu, Inc. | Vulnerable | 2022/07/20 | Cybozu, Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
CVE-2022-28715, CVE-2022-30604, CVE-2022-32453, CVE-2022-33151
Masato Kinugawa reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.
CVE-2022-29891, CVE-2022-32544, CVE-2022-32583
Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.
CVE-2022-30693
Kanta Nishitani of Ierae Security Inc. reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
CVE-2022-29487, CVE-2022-25986, CVE-2022-32283, CVE-2022-33311
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2022-25986 |
CVE-2022-28715 |
|
CVE-2022-29487 |
|
CVE-2022-29891 |
|
CVE-2022-30604 |
|
CVE-2022-30693 |
|
CVE-2022-32283 |
|
CVE-2022-32453 |
|
CVE-2022-32544 |
|
CVE-2022-32583 |
|
CVE-2022-33151 |
|
CVE-2022-33311 |
|
JVN iPedia |
JVNDB-2022-000054 |
Update History
- 2022/07/21
- Information under the section [Description] was fixed.