[Japanese]
|
JVNDB-2019-000023
|
Multiple vulnerabilities in Cybozu Garoon
|
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* Cross-site scripting in the additional processing of Customize Item function (CWE-79) - CVE-2019-5928
* Cross-site scripting in the application "Memo" (CWE-79) - CVE-2019-5929
* Browse restriction bypass in the application "Management of Basic System" (CWE-264) - CVE-2019-5930
* Improper verification of file path in installer (CWE-20) - CVE-2019-5931
* Stored cross-site scripting in the application "Portal" (CWE-79) - CVE-2019-5932
* Browse restriction bypass in the application "Bulletin" (CWE-284) - CVE-2019-5933
* SQL injection in the Log Search function of application "logging" (CWE-89) - CVE-2019-5934
* Operation restriction bypass in the Item function of User Information (CWE-264) - CVE-2019-5935
* Directory traversal in the application "Work Flow" (CWE-22) - CVE-2019-5936
* Cross-site scripting in the user information (CWE-79) - CVE-2019-5937
* Stored cross-site scripting in the application "Mail" (CWE-79) - CVE-2019-5938
* Cross-site scripting in the application "Portal" (CWE-79) - CVE-2019-5939
* Cross-site scripting in the application "Scheduler" (CWE-79) - CVE-2019-5940
* Operation restriction bypass in the application "Multi Report" (CWE-264) - CVE-2019-5941
* Browse restriction bypass in the Multiple Files Download function of application "Cabinet" (CWE-284) - CVE-2019-5942
* Browse restriction bypass in the application "Bulletin" and the application "Cabinet" (CWE-284) - CVE-2019-5943
* Operation restriction bypass in the application "Address" (CWE-264) - CVE-2019-5944
* Information disclosure in the authentication of Cybozu Garoon (CWE-287) - CVE-2019-5945
* Open redirect in the Login Screen (CWE-601) - CVE-2019-5946
* Cross-site scripting in the application "Cabinet" (CWE-79) - CVE-2019-5947
* Server-side request forgery in the V-CUBE Meeting function (CWE-918) - CVE-2020-5562
Cybozu, Inc. reported the following vulnerabilities to JPCERT/CC to notify users of the solution through JVN.
* CVE-2019-5928, CVE-2019-5930, CVE-2019-5931, CVE-2019-5932, CVE-2019-5935, CVE-2019-5936, CVE-2019-5942 and CVE-2019-5947 by Cybozu, Inc.
* CVE-2019-5929, CVE-2019-5937, CVE-2019-5938, CVE-2019-5939 and CVE-2019-5940 by Masato Kinugawa
* CVE-2019-5933, CVE-2019-5941 and CVE-2019-5946 by Yuji Tounai
* CVE-2019-5934 and CVE-2019-5945 by Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc.
* CVE-2019-5943 by ixama
* CVE-2019-5944 by Tanghaifeng
* CVE-2020-5562 by Kanta Nishitani
|
CVSS V3 Severity: Base Metrics 6.0 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
CVSS V2 Severity: Base Metrics 6.5 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2019-5934
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5928
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
5.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5929
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5930
|
CVSS V3 Severity:
Base Metrics:
6.0 (Medium) [IPA Score]
-
Attack Vector: Local
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics:
4.9 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2019-5931
|
CVSS V3 Severity:
Base Metrics:
4.8 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5932
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5933
|
CVSS V3 Severity:
Base Metrics:
6.0 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: Low
-
Availability Impact: Low
CVSS V2 Severity:Base Metrics:
6.5 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2019-5934
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5935
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
5.5 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5936
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5937
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.3 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5938
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5939
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5940
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5941
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5942
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5943
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5944
|
CVSS V3 Severity:
Base Metrics:
5.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.3 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5945
|
CVSS V3 Severity:
Base Metrics:
7.4 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: High
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.3 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5946
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5947
The above CVSS base scores have been assigned for CVE-2019-5947
|
CVSS V3 Severity:
Base Metrics:
6.8 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Changed
-
Confidentiality Impact: None
-
Integrity Impact: High
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5562
|
|
Cybozu, Inc.
- Cybozu Garoon 4.0.0 to 4.6.3 (CVE-2019-5928 to CVE-2019-5931)
- Cybozu Garoon 4.6.0 to 4.6.3 (CVE-2019-5932 and CVE-2020-5562)
- Cybozu Garoon 4.0.0 to 4.10.0 (CVE-2019-5933 and CVE-2019-5934)
- Cybozu Garoon 4.0.0 to 4.10.1 (CVE-2019-5935 to CVE-2019-5944)
- Cybozu Garoon 4.2.4 to 4.10.1 (CVE-2019-5945 and CVE-2019-5946)
- Cybozu Garoon 4.6.0 to 4.10.1 (CVE-2019-5947)
|
|
* An arbitrary script may be executed on a user's web browser. - CVE-2019-5929
* An arbitrary script may be executed on a logged in user's web browser. - CVE-2019-5928, CVE-2019-5932, CVE-2019-5937, CVE-2019-5938, CVE-2019-5939, CVE-2019-5940, CVE-2019-5947
* A user, who can login to the product, may view the information without view privileges. - CVE-2019-5930, CVE-2019-5943
* Information may be altered with the privilege of the user invoking the installer. - CVE-2019-5931
* A user, who can login to the product, may view the Bulletin Board without view privileges. - CVE-2019-5933
* A user, who can access to the product with administrative privileges, may execute an arbitrary SQL commands. - CVE-2019-5934
* A remote attacker may change user information without access privileges. - CVE-2019-5935
* A user, who can login to the product, may obtain file without access privileges. - CVE-2019-5936, CVE-2019-5942
* A user, who can login to the product, may alter the Report without access privileges. - CVE-2019-5941
* A user, who can login to the product, may alter the contents of application "Address" without modify privileges. - CVE-2019-5944
* Users' credential information may be disclosed. - CVE-2019-5945
* When accessing a specially crafted URL, a user may be redirected to an arbitrary website. - CVE-2019-5946
* A user who can login to the product with an administrative privilege may issue arbitrary HTTP requests to other web servers from the product - CVE-2020-5562
|
[Update the Software]
Update to the latest version according to the information provided by the developer.
|
Cybozu, Inc.
|
- Improper Input Validation(CWE-20) [IPA Evaluation]
- Information Exposure(CWE-200) [IPA Evaluation]
- Path Traversal(CWE-22) [IPA Evaluation]
- Permissions(CWE-264) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- SQL Injection(CWE-89) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2020-5562
- CVE-2019-5928
- CVE-2019-5929
- CVE-2019-5930
- CVE-2019-5931
- CVE-2019-5932
- CVE-2019-5933
- CVE-2019-5934
- CVE-2019-5935
- CVE-2019-5936
- CVE-2019-5937
- CVE-2019-5938
- CVE-2019-5939
- CVE-2019-5940
- CVE-2019-5941
- CVE-2019-5942
- CVE-2019-5943
- CVE-2019-5944
- CVE-2019-5945
- CVE-2019-5946
- CVE-2019-5947
|
- JVN : JVN#58849431
- National Vulnerability Database (NVD) : CVE-2019-5928
- National Vulnerability Database (NVD) : CVE-2019-5929
- National Vulnerability Database (NVD) : CVE-2019-5930
- National Vulnerability Database (NVD) : CVE-2019-5931
- National Vulnerability Database (NVD) : CVE-2019-5932
- National Vulnerability Database (NVD) : CVE-2019-5933
- National Vulnerability Database (NVD) : CVE-2019-5934
- National Vulnerability Database (NVD) : CVE-2019-5935
- National Vulnerability Database (NVD) : CVE-2019-5936
- National Vulnerability Database (NVD) : CVE-2019-5937
- National Vulnerability Database (NVD) : CVE-2019-5938
- National Vulnerability Database (NVD) : CVE-2019-5939
- National Vulnerability Database (NVD) : CVE-2019-5940
- National Vulnerability Database (NVD) : CVE-2019-5941
- National Vulnerability Database (NVD) : CVE-2019-5942
- National Vulnerability Database (NVD) : CVE-2019-5943
- National Vulnerability Database (NVD) : CVE-2019-5944
- National Vulnerability Database (NVD) : CVE-2019-5945
- National Vulnerability Database (NVD) : CVE-2019-5946
- National Vulnerability Database (NVD) : CVE-2019-5947
- National Vulnerability Database (NVD) : CVE-2020-5562
|
- [2019/4/25]
Web page was published
- [2019/09/30]
References : Contents were added
- [2020/04/27]
Overview was modified
CVSS Severity was modified
Affected Products was modified
Impact was modified
Vendor Information was added
CWE was added
|