Published:2011/10/07  Last Updated:2011/10/12

JVN#84838479
Cybozu Office vulnerable in restricting access

Overview

Cybozu Office contains a vulnerability in restricting access permissions.

Products Affected

  • Cybozu Office versions prior to 8.0.0

Description

Cybozu Office is a groupware.Cybozu Office contains a vulnerability in restricting access permissions.

Impact

A user without the appropriate privileges may view an arbitrary user's attendance information.

Solution

Upgrade the Software
Upgrade to Cybozu Office 9 that has addressed this vulnerability.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2011.10.07

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication login caused to be created by an administrator
  • Low-Mid
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity the user must be convinced to take a difficult or suspicious action. If the honest user must have elevated privileges, they are likely to be more suspiciouse
  • High

Description of each analysis measures

Credit

Masako Ohno reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2011-2677
JVN iPedia JVNDB-2011-000079

Update History

2011/10/12
Information under the section "Vendor Status" was added.