Published:2005/02/07 Last Updated:2008/05/21
JVN#8F8B1C85
Cybozu Office browser script execution vulnerability
Overview
The HTML-mail compliant web mail function of Cybozu Office contains a vulnerability that may allow an attacker to execute browser script.
Products Affected
- Cybozu Office 6.1 (1.0) and earlier
Description
Impact
If a Cybozu Office user logs into the system and opens an email containing exploit code sent by a remote attacker using the web mail function, cookies in the browser could be stolen.
As Cybozu Office stores login session ID information in a HTTP cookie, an attacker could exploit this vulnerability to hijack a session by stealing the session ID.
Solution
References
JPCERT/CC Addendum
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE | |
| JVN iPedia |
JVNDB-2005-000757 |