Description
Improper access control vulnerability in Cabinet of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the date of Cabinet via unspecified vectors.
Affected Software
Related
{"id": "PRION:CVE-2021-20633", "vendorId": null, "type": "prion", "bulletinFamily": "NVD", "title": "Improper access control", "description": "Improper access control vulnerability in Cabinet of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the date of Cabinet via unspecified vectors.", "published": "2021-03-18T01:15:00", "modified": "2022-07-12T17:42:00", "epss": [{"cve": "CVE-2021-20633", "epss": 0.00054, "percentile": 0.20894, "modified": "2023-11-20"}], "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-20633", "reporter": "PRIOn knowledge base", "references": ["https://kb.cybozu.support/article/36869/", "https://jvn.jp/en/jp/JVN45797538/index.html"], "cvelist": ["CVE-2021-20633"], "immutableFields": [], "lastseen": "2023-11-22T00:33:20", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-20633"]}, {"type": "jvn", "idList": ["JVN:45797538"]}]}, "score": {"value": 4.8, "uncertanity": 0.3, "vector": "NONE"}, "vulnersScore": 4.8}, "_state": {"dependencies": 1700613249, "score": 1700613245}, "_internal": {"score_hash": "0acb561abb5be7a70c10b14815bb26b1"}, "affectedSoftware": [{"version": "10.0.0", "operator": "ge", "name": "office"}, {"version": "10.8.4", "operator": "le", "name": "office"}], "vendor_cvss2": {"score": "4", "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}, "vendor_cvss3": {}}
{"cve": [{"lastseen": "2023-12-06T14:18:37", "description": "Improper access control vulnerability in Cabinet of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the date of Cabinet via unspecified vectors.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-03-18T01:15:00", "type": "cve", "title": "CVE-2021-20633", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20633"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:cybozu:office:10.8.4"], "id": "CVE-2021-20633", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20633", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:cybozu:office:10.8.4:*:*:*:*:*:*:*"]}], "jvn": [{"lastseen": "2023-12-06T14:22:45", "description": "Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. \n\n**[CyVDB-1657] Operational restrictions bypass vulnerability in Scheduler ([CWE-264](<https://cwe.mitre.org/data/definitions/264.html>))** \\- CVE-2021-20624 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N| **Base Score: 4.3** \nCVSS v2| AV:N/AC:L/Au:S/C:N/I:P/A:N| **Base Score: 4.0** \n \n**[CyVDB-1727] Operational restrictions bypass vulnerability in Bulletin Board ([CWE-264](<https://cwe.mitre.org/data/definitions/264.html>))** \\- CVE-2021-20625 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N| **Base Score: 4.3** \nCVSS v2| AV:N/AC:L/Au:S/C:N/I:P/A:N| **Base Score: 4.0** \n \n**[CyVDB-1895][CyVDB-2658] Operational restrictions bypass vulnerability in Workflow ([CWE-264](<https://cwe.mitre.org/data/definitions/264.html>))** \\- CVE-2021-20626 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N| **Base Score: 4.3** \nCVSS v2| AV:N/AC:L/Au:S/C:N/I:P/A:N| **Base Score: 4.0** \n \n**[CyVDB-1899] Cross-site scripting vulnerability in Address Book ([CWE-79](<https://cwe.mitre.org/data/definitions/79.html>))** \\- CVE-2021-20627 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N| **Base Score: 4.7** \nCVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| **Base Score: 2.6** \n \n**[CyVDB-1924] Cross-site scripting vulnerability in Address Book ([CWE-79](<https://cwe.mitre.org/data/definitions/79.html>))** \\- CVE-2021-20628 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N| **Base Score: 4.7** \nCVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| **Base Score: 2.6** \n \n**[CyVDB-2014] Cross-site scripting vulnerability in E-mail ([CWE-79](<https://cwe.mitre.org/data/definitions/79.html>))** \\- CVE-2021-20629 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N| **Base Score: 4.7** \nCVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| **Base Score: 2.6** \n \n**[CyVDB-2018] Viewing restrictions bypass vulnerability in Phone Messages ([CWE-264](<https://cwe.mitre.org/data/definitions/264.html>))** \\- CVE-2021-20630 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N| **Base Score: 4.3** \nCVSS v2| AV:N/AC:L/Au:S/C:P/I:N/A:N| **Base Score: 4.0** \n \n**[CyVDB-2063] Improper input validation vulnerability in Custom App ([CWE-20](<https://cwe.mitre.org/data/definitions/20.html>))** \\- CVE-2021-20631 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L| **Base Score: 4.3** \nCVSS v2| AV:N/AC:L/Au:S/C:N/I:N/A:P| **Base Score: 4.0** \n \n**[CyVDB-2263] Viewing restrictions bypass vulnerability in Bulletin Board ([CWE-264](<https://cwe.mitre.org/data/definitions/264.html>))** \\- CVE-2021-20632 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N| **Base Score: 4.3** \nCVSS v2| AV:N/AC:L/Au:S/C:P/I:N/A:N| **Base Score: 4.0** \n \n**[CyVDB-2310] Viewing restrictions bypass vulnerability in Cabinet ([CWE-264](<https://cwe.mitre.org/data/definitions/264.html>))** \\- CVE-2021-20633 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N| **Base Score: 4.3** \nCVSS v2| AV:N/AC:L/Au:S/C:P/I:N/A:N| **Base Score: 4.0** \n \n**[CyVDB-2764] Viewing restrictions bypass vulnerability in Custom App ([CWE-264](<https://cwe.mitre.org/data/definitions/264.html>))** \\- CVE-2021-20634 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N| **Base Score: 4.3** \nCVSS v2| AV:N/AC:L/Au:S/C:P/I:N/A:N| **Base Score: 4.0** \n \n**[CyVDB-1900] Cross-site scripting vulnerability in Address Book ([CWE-79](<https://cwe.mitre.org/data/definitions/79.html>))** \\- CVE-2021-20849 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N| **Base Score: 4.7** \nCVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| **Base Score: 2.6**\n\n ## Impact\n\n * [CyVDB-1657]: \nA user who can log in to the product may alter the data of Scheduler without appropriate privileges.\n * [CyVDB-1727]: \nA user who can log in to the product may alter the data of Bulletin Board without appropriate privileges.\n * [CyVDB-1895] and [CyVDB-2658]: \nA user who can log in to the product may alter the data of Workflow without appropriate privileges.\n * [CyVDB-1899], [CyVDB-1924], [CyVDB-2014] and [CyVDB-1900]: \nAn arbitrary script may be executed on a logged-in user's web browser. Note that [CyVDB-1924] issue only occurs when using Mozilla firefox.\n * [CyVDB-2018]: \nA user who can log in to the product may obtain the data of Phone Messages without the viewing privileges.\n * [CyVDB-2063]: \nA user who can log in to the product may alter the data of Custom App.\n * [CyVDB-2263]: \nA user who can log in to the product may obtain the data of Bulletin Board without the viewing privileges.\n * [CyVDB-2310]: \nA user who can log in to the product may obtain the data of Cabinet without the viewing privileges.\n * [CyVDB-2764]: \nA user who can log in to the product may obtain the data of Custom App without the viewing privileges.\n\n ## Solution\n\n**Update the Software** \nUpdate to the latest version according to the information provided by the developer.\n\n ## Products Affected\n\n * Cybozu Office 10.0.0 to 10.8.4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-15T00:00:00", "type": "jvn", "title": "JVN#45797538: Multiple vulnerabilities in Cybozu Office", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20624", "CVE-2021-20625", "CVE-2021-20626", "CVE-2021-20627", "CVE-2021-20628", "CVE-2021-20629", "CVE-2021-20630", "CVE-2021-20631", "CVE-2021-20632", "CVE-2021-20633", "CVE-2021-20634", "CVE-2021-20849"], "modified": "2021-12-17T00:00:00", "id": "JVN:45797538", "href": "http://jvn.jp/en/jp/JVN45797538/index.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
Improper access control
