Published:2020/08/11  Last Updated:2020/08/11

JVN#46258789
Multiple vulnerabilities in CyberMail

Overview

CyberMail contains multiple vulnerabilities.

Products Affected

  • CyberMail Ver.6.x
  • CyberMail Ver.7.x

Description

CyberMail contains multiple vulnerabilities listed below.

  • Cross-site Scripting (CWE-79) - CVE-2020-5540
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
  • Open Redirect (CWE-601) - CVE-2020-5541
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 4.7
    CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3

Impact

  • An arbitrary script may be executed on the user's web browser - CVE-2020-5540
  • When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack - CVE-2020-5541

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the following patch for CyberMail Ver.7.x to address this vulnerability.
CyberMail 6.x is no longer supported (EOS), and there are no plans to release a patch for it.

  • hotfix_cmv7sp3_200616

Apply workarounds
Applying workarounds may mitigate the impacts of these vulnerabilities.
For the details, refer to the support documentation provided by the developer (Japanese Only) (Registered Users Only).

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Tony Kuo and Chia-Lung Hsieh of CHT Security reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5540
CVE-2020-5541
JVN iPedia JVNDB-2020-000053