Japan Vulnerability NotesJVN:86026700JVN#86026700: Multiple vulnerabilities in GroupSession
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
48.2%
GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below.
Cross-site scripting vulnerability (CWE-79) - CVE-2021-20785
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 6.1 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Cross-site request forgery (CWE-352) - CVE-2021-20786
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Cross-site scripting vulnerability (CWE-79)- CVE-2021-20787
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 6.1 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Sever-side request forgery (CWE-918) - CVE-2021-20788
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | Base Score: 5.0 |
| CVSS v2 | AV:N/AC:L/Au:S/C:P/I:N/A:N | Base Score: 4.0 |
Open redirect (CWE-601) - CVE-2021-20789
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N | Base Score: 4.7 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Impact
- If a user sends a specially crafted request to a specific URL while logged in to the product with an administrative account, an arbitrary script may be executed - CVE-2021-20785, CVE-2021-20787
- If a user accesses a specially crafted URL while logged in to the product with an administrative account, the product’s settings may be changed unintentionally - CVE-2021-20786
- A user who can access the bookmark function of the software may conduct a port scan from the product and/or obtain information from the internal Web server - CVE-2021-20788
- When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack - CVE-2021-20789
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released the fixed version ver5.1.0.
Products Affected
- GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0
- GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0
- GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0
Related
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
48.2%