JVN#52694228: Multiple vulnerabilities in Cybozu Remote Service

Overview

Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

CVE-2021-20795, CVE-2021-20798, CVE-2021-20799, CVE-2021-20801, CVE-2021-20802, CVE-2021-20803, CVE-2021-20804

Cybozu Remote Service 3.1.8 to 3.1.9

CVE-2021-20796, CVE-2021-20797, CVE-2021-20800

Cybozu Remote Service 3.1.8

CVE-2021-20805

Cybozu Remote Service 3.1.7 to 3.1.9

CVE-2021-20806, CVE-2021-20807

Cybozu Remote Service 3.0.0 to 3.1.9

CVE-2022-26838

Cybozu Remote Service 3.1.2

Description

Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

[CyVDB-525] Cross-site request forgery vulnerability in the management screen (CWE-352) - CVE-2021-20795

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Base Score: 6.5

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
[CyVDB-1742] Path traversal vulnerability in the management screen (CWE-22) - CVE-2021-20796

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L Base Score: 4.2

CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:P Base Score: 4.9
[CyVDB-1806] Cross-site script inclusion vulnerability in the management screen (CWE-829) - CVE-2021-20797

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4

CVSS v2 AV:N/AC:H/Au:S/C:N/I:P/A:N Base Score: 2.1
[CyVDB-1808] Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2021-20798

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4

CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
[CyVDB-1809] Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2021-20799

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4

CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
[CyVDB-1810] Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2021-20800

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4

CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
[CyVDB-1811] XML external entity injection (XXE) vulnerability (CWE-611) - CVE-2021-20801

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3

CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
[CyVDB-1814] HTTP header injection vulnerability (CWE-113) - CVE-2021-20802

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
[CyVDB-1820] Operation restriction bypass in the management screen (CWE-264) - CVE-2021-20803

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base Score: 5.4

CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:P Base Score: 5.5
[CyVDB-1830] Denial-of-service (DoS) vulnerability (CWE-400) - CVE-2021-20804

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H Base Score: 5.3

CVSS v2 AV:N/AC:M/Au:S/C:N/I:N/A:C Base Score: 6.3
[CyVDB-1862] Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2021-20805

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4

CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
[CyVDB-1968] Open redirect vulnerability (CWE-601) - CVE-2021-20806

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 3.4

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
[CyVDB-2028] Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2021-20807

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
[CyVDB-877] Path traversal vulnerability in Importing Mobile Device Data (CWE-22) - CVE-2022-26838

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Base Score: 4.3

CVSS v2 AV:N/AC:L/Au:S/C:N/I:N/A:P Base Score: 5.0

Impact

[CyVDB-525]:
If a user views a malicious page while logged in, unintended operations may be performed.
[CyVDB-1742]:
A user who can log in to the product may upload an arbitrary file.
[CyVDB-1806], [CyVDB-1811]:
A user who can log in to the product may obtain the information stored in the product. Note that [CyVDB-1806] issue only occurs when using Mozilla firefox.
[CyVDB-1808], [CyVDB-1809], [CyVDB-1810], [CyVDB-1862], [CyVDB-2028]:
An arbitrary script may be executed on a logged-in user's web browser.
[CyVDB-1814]:
A remote attacker may alter the information stored in the product.
[CyVDB-1820]:
A user who can log in to the product may alter the data of the management screen.
[CyVDB-1830], [CyVDB-877]:
A user who can log in to the product may be able to cause a denial-of-service (DoS) condition.
[CyVDB-1968]:
When accessing a specially crafted URL, the user may be redirected to an arbitrary website.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
Cybozu, Inc.	Vulnerable	2022/04/25	Cybozu, Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2021-20795
Masaaki Chida reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of the solution through JVN.

CVE-2021-20796, CVE-2021-20807
Toshitsugu Yoneyama(Mitsui Bussan Secure Directions, Inc.) reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

CVE-2021-20805
Yuji Tounai reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of the solution through JVN.

CVE-2021-20806
Kanta Nishitani of Ierae Security Inc. reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of the solution through JVN.

CVE-2021-20797, CVE-2021-20798, CVE-2021-20799, CVE-2021-20800, CVE-2021-20801, CVE-2021-20802, CVE-2021-20803, CVE-2021-20804, CVE-2022-26838
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2021-20795
	CVE-2021-20796
	CVE-2021-20797
	CVE-2021-20798
	CVE-2021-20799
	CVE-2021-20800
	CVE-2021-20801
	CVE-2021-20802
	CVE-2021-20803
	CVE-2021-20804
	CVE-2021-20805
	CVE-2021-20806
	CVE-2021-20807
	CVE-2022-26838
JVN iPedia	JVNDB-2021-000088

Update History

2022/04/25: "CyVDB-877" added to [Products Affected], [Description] and [Impact], another CVE information added to [Other Information], and [Credit] updated.
2022/04/25: Cybozu, Inc. update status

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	Base Score: 6.5
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

CVSS v3	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L	Base Score: 4.2
CVSS v2	AV:N/AC:M/Au:S/C:N/I:P/A:P	Base Score: 4.9

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.4
CVSS v2	AV:N/AC:H/Au:S/C:N/I:P/A:N	Base Score: 2.1

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	Base Score: 4.3
CVSS v2	AV:N/AC:L/Au:S/C:P/I:N/A:N	Base Score: 4.0

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	Base Score: 4.3
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	Base Score: 5.4
CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:P	Base Score: 5.5

CVSS v3	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H	Base Score: 5.3
CVSS v2	AV:N/AC:M/Au:S/C:N/I:N/A:C	Base Score: 6.3

CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N	Base Score: 3.4
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L	Base Score: 4.3
CVSS v2	AV:N/AC:L/Au:S/C:N/I:N/A:P	Base Score: 5.0

JVN#52694228 Multiple vulnerabilities in Cybozu Remote Service