[Japanese]

JVNDB-2010-000016

Multiple Cybozu products vulnerable to authentication bypass

Overview

Multiple Cybozu products contain an authentication bypass vulnerability.

Multiple Cybozu products contain an issue in which the login page for mobile devices is not properly restrcited, leading to an authentication bypass vulnerability. As a result, an attacker may impersonate a user of a Cybozu product.
CVSS Severity (What is CVSS?)

Base Metrics: 5.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


Cybozu, Inc.
  • Cybozu Office 7 Ktai
  • Cybozu Dotsales

Impact

A remote attacker may view or modify information stored by the product.
Solution

[Apply IP address restriction]
Using one of the following methods, restrict access only to mobile device IP addresses:
* Apply the restriction settings on the server in which the product is installed
* Use "Cybozu Remote Service" available from the developer

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Cybozu, Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2010-2029
References

  1. JVN : JVN#87730223
  2. National Vulnerability Database (NVD) : CVE-2010-2029
  3. IPA SECURITY ALERTS : Security Alert for Vulnerability in Multiple Cybozu Products
  4. Secunia Advisory : SA39508
  5. ISS X-Force Database : 57976
  6. OPEN SOURCE VULNERABILITY DATABASE (OSVDB) : 63933
Revision History

[2010/04/21]
  Web page published