JVN#79798166
Multiple vulnerabilities in GroupSession

Overview

GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities.

Products Affected

• GroupSession Free edition ver5.1.1 and earlier
• GroupSession byCloud ver5.1.1 and earlier
• GroupSession ZION ver5.1.1 and earlier

Description

GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below.

• Incorrect Permission Assignment for Critical Resource (CWE-732) - CVE-2021-20874

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	Base Score: 7.5
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:N/A:N	Base Score: 5.0

• Open redirect (CWE-601) - CVE-2021-20875

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N	Base Score: 4.7
  CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

• Path Traversal (CWE-22) - CVE-2021-20876

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N	Base Score: 4.9
  CVSS v2	AV:N/AC:L/Au:S/C:P/I:N/A:N	Base Score: 4.0

Impact

• A remote attacker may access arbitrary files on the server. As a result, sensitive information may be obtained - CVE-2021-20874
• When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack - CVE-2021-20875
• A remote attacker who logged in to the product with an administrative account may obtain sensitive information stored in the hierarchy above the directory on the publicated site's server - CVE-2021-20876

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.