Lucene search

K
jvnJapan Vulnerability NotesJVN:51737843
HistoryMay 22, 2018 - 12:00 a.m.

JVN#51737843: Multiple vulnerabilities in Cybozu Office

2018-05-2200:00:00
Japan Vulnerability Notes
jvn.jp
19

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

48.9%

Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

Information disclosure in the application “Message” when viewing an external image (CWE-200) - CVE-2018-0526

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Base Score: 4.3
CVSS v2 AV:N/AC:M/Au:N/C:P/I:N/A:N Base Score: 4.3

Stored cross-site scripting in “E-mail Details Screen” of the application “E-mail” (CWE-79) - CVE-2018-0527

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3

Browse restriction bypass in the application “Scheduler” (CWE-264) - CVE-2018-0528

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
CVSS v2 AV:N/AC:M/Au:S/C:P/I:N/A:N Base Score: 3.5

Denial-of-service (DoS) in the application “Message” due to a flaw in processing of an attached file (CWE-20) - CVE-2018-0529

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Base Score: 4.3
CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:P Base Score: 5.0

Reflected cross-site scripting in the application “MultiReport” (CWE-79) - CVE-2018-0565

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Browse restriction bypass in the application “Scheduler” (CWE-264) - CVE-2018-0566

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
CVSS v2 AV:N/AC:M/Au:S/C:P/I:N/A:N Base Score: 3.5

Operation restriction bypass in the application “Bulletin” (CWE-264) - CVE-2018-0567

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3
CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5

Impact

  • If a user browses a message, an attached image located in an external server may be displayed without the user’s permission - CVE-2018-0526
  • An arbitrary script may be executed on the logged in user’s web browser - CVE-2018-0527, CVE-2018-0565
  • A user who can login to the product may view the schedules that are not permitted to access - CVE-2018-0528
  • Attaching a specially crafted image file in “Compose E-mail screen” by a user may result in Denial-of-service (DoS) condition - CVE-2018-0529
  • The schedule may be obtained by a user who does not have privileges to access - CVE-2018-0566
  • A user without privileges may access and write data prior to being public - CVE-2018-0567

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Products Affected

  • Cybozu Office 10.0.0 to 10.7.0 (CVE-2018-0526, CVE-2018-0527, CVE-2018-0528, CVE-2018-0529)
  • Cybozu Office 10.0.0 to 10.8.0 (CVE-2018-0565, CVE-2018-0566, CVE-2018-0567)

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

48.9%

Related for JVN:51737843