CVE-2016-4865

Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Customapp function.

CVE-2016-4868

Email header injection vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote attackers to inject arbitrary email headers to send unintended emails via specially crafted requests.

CVE-2016-4870

Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the Schedule function.

CVE-2016-4874

Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a "reflected file download" attack.

CVE-2016-4867

Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restriction to view unauthorized project information via the Project function.

CVE-2016-4869

Cybozu Office 9.0.0 to 10.4.0 allow remote attackers to obtain session information via a page where CGI environment variables are displayed.

CVE-2016-4873

Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to execute unintended operations via the Project function.

CVE-2016-4872

Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restrictions to view the names of unauthorized projects via a breadcrumb trail.

CVE-2016-4866

Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Project function.

CVE-2016-4871

Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to cause a denial of service.