[Japanese]
|
JVNDB-2018-000053
|
Multiple vulnerabilities in Cybozu Office
|
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
*Information disclosure in the application "Message" when viewing an external image (CWE-200) - CVE-2018-0526
*Stored cross-site scripting in "E-mail Details Screen" of the application "E-mail" (CWE-79) - CVE-2018-0527
*Browse restriction bypass in the application "Scheduler" (CWE-264) - CVE-2018-0528
*Denial-of-service (DoS) in the application "Message" due to a flaw in processing of an attached file (CWE-20) - CVE-2018-0529
*Reflected cross-site scripting in the application "MultiReport" (CWE-79) - CVE-2018-0565
*Browse restriction bypass in the application "Scheduler" (CWE-264) - CVE-2018-0566
*Operation restriction bypass in the application "Bulletin" (CWE-264) - CVE-2018-0567
Jun Kokatsu reported CVE-2018-0526 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Masato Kinugawa reported CVE-2018-0527 and CVE-2018-0565 vulnerabilities to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc. reported CVE-2018-0528, CVE-2018-0529 and CVE-2018-0566 vulnerabilities to JPCERT/CC to notify users of respective solutions through JVN.
Yuji Tounai reported CVE-2018-0567 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
|
CVSS V3 Severity: Base Metrics 4.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
CVSS V2 Severity: Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0526
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.3 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0527
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0528
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: Low
CVSS V2 Severity:Base Metrics:
5.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2018-0529
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0565
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0566
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0567
|
|
Cybozu, Inc.
- Cybozu Office 10.0.0 to 10.7.0 (CVE-2018-0526, CVE-2018-0527, CVE-2018-0528, CVE-2018-0529)
- Cybozu Office 10.0.0 to 10.8.0 (CVE-2018-0565, CVE-2018-0566, CVE-2018-0567)
|
|
*If a user browses a message, an attached image located in an external server may be displayed without the user's permission - CVE-2018-0526
*An arbitrary script may be executed on the logged in user's web browser - CVE-2018-0527, CVE-2018-0565
*A user who can login to the product may view the schedules that are not permitted to access - CVE-2018-0528
*Attaching a specially crafted image file in "Compose E-mail screen" by a user may result in Denial-of-service (DoS) condition - CVE-2018-0529
*The schedule may be obtained by a user who does not have privileges to access - CVE-2018-0566
*A user without privileges may access and write data prior to being public - CVE-2018-0567
|
[Update the Software]
Update to the latest version according to the information provided by the developer.
|
Cybozu, Inc.
|
- Improper Input Validation(CWE-20) [IPA Evaluation]
- Information Exposure(CWE-200) [IPA Evaluation]
- Permissions(CWE-264) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2018-0526
- CVE-2018-0527
- CVE-2018-0528
- CVE-2018-0529
- CVE-2018-0565
- CVE-2018-0566
- CVE-2018-0567
|
- JVN : JVN#51737843
- National Vulnerability Database (NVD) : CVE-2018-0565
- National Vulnerability Database (NVD) : CVE-2018-0566
- National Vulnerability Database (NVD) : CVE-2018-0567
- National Vulnerability Database (NVD) : CVE-2018-0526
- National Vulnerability Database (NVD) : CVE-2018-0527
- National Vulnerability Database (NVD) : CVE-2018-0528
- National Vulnerability Database (NVD) : CVE-2018-0529
|
- [2018/05/22]
Web page was published
- [2018/08/30]
References : Contents were added
|