[Japanese]
|
JVNDB-2019-000047
|
Multiple vulnerabilities in Cybozu Garoon
|
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* DOM-based cross-site scripting in the application "Portal" (CWE-79) - CVE-2019-5975
* Denial-of-service (DoS) (CWE-20) - CVE-2019-5976
* Mail header injection in the application "E-mail" (CWE-74) - CVE-2019-5977
* Open redirect in the application "Scheduler" (CWE-601) - CVE-2019-5978
Masato Kinugawa reported CVE-2019-5975 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Kanta Nishitani reported CVE-2019-5976 and CVE-2019-5978 vulnerabilities to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Shuichi Uruma reported CVE-2019-5977 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
|
CVSS V3 Severity: Base Metrics 4.9 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVSS V2 Severity: Base Metrics 4.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2019-5976
|
CVSS V3 Severity:
Base Metrics:
4.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
1.7 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: Multiple
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5975
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5977
|
CVSS V3 Severity:
Base Metrics:
4.7 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5978
|
|
Cybozu, Inc.
- Cybozu Garoon 4.6.0 to 4.10.2 (CVE-2019-5975)
- Cybozu Garoon 4.0.0 to 4.10.2 (CVE-2019-5976, CVE-2019-5977 and CVE-2019-5978)
|
|
* An arbitrary script may be executed on the logged in user's web browser while accessing a malicious web page - CVE-2019-5975
* A denial-of-service (DoS) condition may be caused if an attacker with administrative privileges alters sesssion authentication data - CVE-2019-5976
* Mail with an altered header by a user may be sent - CVE-2019-5977
* A user may be redirected to an arbitrary website if accessing a specially crafted URL - CVE-2019-5978
|
[Update the Software]
Update to the latest version according to the information provided by the developer.
|
Cybozu, Inc.
|
- Improper Input Validation(CWE-20) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2019-5975
- CVE-2019-5976
- CVE-2019-5977
- CVE-2019-5978
|
- JVN : JVN#62618482
- National Vulnerability Database (NVD) : CVE-2019-5975
- National Vulnerability Database (NVD) : CVE-2019-5976
- National Vulnerability Database (NVD) : CVE-2019-5977
- National Vulnerability Database (NVD) : CVE-2019-5978
|
- [2019/07/16]
Web page was published
- [2019/10/08]
References : Contents were added
|