Published:2020/08/11 Last Updated:2020/08/11
JVN#46258789
Multiple vulnerabilities in CyberMail
Overview
CyberMail contains multiple vulnerabilities.
Products Affected
- CyberMail Ver.6.x
- CyberMail Ver.7.x
Description
CyberMail contains multiple vulnerabilities listed below.
- Cross-site Scripting (CWE-79) - CVE-2020-5540
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3 - Open Redirect (CWE-601) - CVE-2020-5541
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 4.7 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
Impact
- An arbitrary script may be executed on the user's web browser - CVE-2020-5540
- When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack - CVE-2020-5541
Solution
Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the following patch for CyberMail Ver.7.x to address this vulnerability.
CyberMail 6.x is no longer supported (EOS), and there are no plans to release a patch for it.
- hotfix_cmv7sp3_200616
Apply workarounds
Applying workarounds may mitigate the impacts of these vulnerabilities.
For the details, refer to the support documentation provided by the developer (Japanese Only) (Registered Users Only).
Vendor Status
| Vendor | Link |
| CyberSolutions Inc. | FAQ#: 1000985 CVE-2020-5540,CVE-2020-5541 Multiple vulnerabilities in CyberMail (JVN#46258789) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Tony Kuo and Chia-Lung Hsieh of CHT Security reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-5540 |
|
CVE-2020-5541 |
|
| JVN iPedia |
JVNDB-2020-000053 |