Japan Vulnerability NotesJVN:51737843JVN#51737843: Multiple vulnerabilities in Cybozu Office
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.5 Medium
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
48.9%
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
Information disclosure in the application “Message” when viewing an external image (CWE-200) - CVE-2018-0526
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:M/Au:N/C:P/I:N/A:N | Base Score: 4.3 |
Stored cross-site scripting in “E-mail Details Screen” of the application “E-mail” (CWE-79) - CVE-2018-0527
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 6.1 |
| CVSS v2 | AV:N/AC:M/Au:N/C:N/I:P/A:N | Base Score: 4.3 |
Browse restriction bypass in the application “Scheduler” (CWE-264) - CVE-2018-0528
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:M/Au:S/C:P/I:N/A:N | Base Score: 3.5 |
Denial-of-service (DoS) in the application “Message” due to a flaw in processing of an attached file (CWE-20) - CVE-2018-0529
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:L/Au:N/C:N/I:N/A:P | Base Score: 5.0 |
Reflected cross-site scripting in the application “MultiReport” (CWE-79) - CVE-2018-0565
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 6.1 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Browse restriction bypass in the application “Scheduler” (CWE-264) - CVE-2018-0566
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:M/Au:S/C:P/I:N/A:N | Base Score: 3.5 |
Operation restriction bypass in the application “Bulletin” (CWE-264) - CVE-2018-0567
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Impact
- If a user browses a message, an attached image located in an external server may be displayed without the user’s permission - CVE-2018-0526
- An arbitrary script may be executed on the logged in user’s web browser - CVE-2018-0527, CVE-2018-0565
- A user who can login to the product may view the schedules that are not permitted to access - CVE-2018-0528
- Attaching a specially crafted image file in “Compose E-mail screen” by a user may result in Denial-of-service (DoS) condition - CVE-2018-0529
- The schedule may be obtained by a user who does not have privileges to access - CVE-2018-0566
- A user without privileges may access and write data prior to being public - CVE-2018-0567
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Products Affected
- Cybozu Office 10.0.0 to 10.7.0 (CVE-2018-0526, CVE-2018-0527, CVE-2018-0528, CVE-2018-0529)
- Cybozu Office 10.0.0 to 10.8.0 (CVE-2018-0565, CVE-2018-0566, CVE-2018-0567)
Related
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.5 Medium
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
48.9%