JVN#41694426
Multiple vulnerabilities in Cybozu Garoon

Overview

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

[CyVDB-3122]

• Cybozu Garoon 4.10.0 to 5.9.2

• Cybozu Garoon 4.6.0 to 5.9.2

• Cybozu Garoon 5.15.0

Description

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

• [CyVDB-3122] Denial-of-service (DoS) in Message (CWE-400) - CVE-2023-26595

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L	Base Score: 5.0
  CVSS v2	AV:N/AC:L/Au:S/C:N/I:N/A:P	Base Score: 4.0

• [CyVDB-3142] Operation restriction bypass vulnerability in Message and Bulletin (CWE-285) - CVE-2023-27304

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	Base Score: 4.3
  CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:N	Base Score: 4.0

• [CyVDB-3165] Operation restriction bypass vulnerability in MultiReport (CWE-284) - CVE-2023-27384

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	Base Score: 4.3
  CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:N	Base Score: 4.0

Impact

• [CyVDB-3122]:
  A user who can log in to the product may be able to cause a denial-of-service (DoS) condition.
• [CyVDB-3142]:
  A user who can log in to the product may alter the data of Message and/or Bulletin.
• [CyVDB-3165]:
  A user who can log in to the product may alter the data of MultiReport.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.