[Japanese]
|
JVNDB-2021-000073
|
Multiple vulnerabilities in Cybozu Garoon
|
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* [CyVDB-1782] Cross-site scripting vulnerability in Scheduler (CWE-79) - CVE-2021-20753
* [CyVDB-2029] Improper input validation vulnerability in Workflow (CWE-20) - CVE-2021-20754
* [CyVDB-2071] Viewing restrictions bypass vulnerability in Portal (CWE-264) - CVE-2021-20755
* [CyVDB-2085] Viewing restrictions bypass vulnerability in Address (CWE-264) - CVE-2021-20756
* [CyVDB-2092] Operational restrictions bypass vulnerability in E-mail (CWE-264) - CVE-2021-20757
* [CyVDB-2099] Cross-site request forgery vulnerability in Message (CWE-352) - CVE-2021-20758
* [CyVDB-2103] Operational restrictions bypass vulnerability in Bulletin (CWE-264) - CVE-2021-20759
* [CyVDB-2234] Improper input validation vulnerability in User Profile (CWE-20) - CVE-2021-20760
* [CyVDB-2245][CyVDB-2374] Improper input validation vulnerability in E-mail (CWE-20) - CVE-2021-20761
* [CyVDB-2283] Improper input validation vulnerability in E-mail (CWE-20) - CVE-2021-20762
* [CyVDB-2368] Operational restrictions bypass vulnerability in Portal (CWE-264) - CVE-2021-20763
* [CyVDB-2388] Improper input validation vulnerability in Attaching Files (CWE-20) - CVE-2021-20764
* [CyVDB-2406] Cross-site scripting vulnerability in Bulletin (CWE-79) - CVE-2021-20765
* [CyVDB-2407] Cross-site scripting vulnerability in Message (CWE-79) - CVE-2021-20766
* [CyVDB-2446] Cross-site scripting vulnerability in Full Text Search (CWE-79) - CVE-2021-20767
* [CyVDB-2448] Operational restrictions bypass vulnerability in Scheduler and MultiReport (CWE-264) - CVE-2021-20768
* [CyVDB-2568] Cross-site scripting vulnerability in Bulletin (CWE-79) - CVE-2021-20769
* [CyVDB-2659] Cross-site scripting vulnerability in Message (CWE-79) - CVE-2021-20770
* [CyVDB-2193] Cross-site scripting vulnerability in some functions of E-mail (CWE-79) - CVE-2021-20771
* [CyVDB-2479] Title information disclosure vulnerability in Bulletin (CWE-264) - CVE-2021-20772
* [CyVDB-2755] Vulnerability where route information of Workflow is deleted unintentionally - CVE-2021-20773
* [CyVDB-2766] Cross-site scripting vulnerability in some functions of E-mail (CWE-79) - CVE-2021-20774
* [CyVDB-2903] Comment destination information disclosure vulnerability (CWE-20) - CVE-2021-20775
CVE-2021-20753
Masato Kinugawa reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of the solutions through JVN.
CVE-2021-20755, CVE-2021-20764, CVE-2021-20765, CVE-2021-20766
Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.
CVE-2021-20760, CVE-2021-20761, CVE-2021-20767
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.
CVE-2021-20771
Ren Hirasawa reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of the solutions through JVN.
CVE-2021-20754, CVE-2021-20756, CVE-2021-20757, CVE-2021-20758, CVE-2021-20759, CVE-2021-20762, CVE-2021-20763, CVE-2021-20768, CVE-2021-20769, CVE-2021-20770, CVE-2021-20772, CVE-2021-20773, CVE-2021-20774, CVE-2021-20775
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.
|
CVSS V3 Severity: Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
CVSS V2 Severity: Base Metrics 5.5 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20773
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20753
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20754
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20755
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20756
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20757
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20758
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20759
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20760
|
CVSS V3 Severity:
Base Metrics:
4.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Changed
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20761
|
CVSS V3 Severity:
Base Metrics:
5.0 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Changed
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20762
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20763
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20764
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20765
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20766
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20767
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20768
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20769
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20770
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20771
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20772
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20774
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.0 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20775
|
|
Cybozu, Inc.
- Cybozu Garoon 4.0.0 to 5.0.2 ([CyVDB-1782], [CyVDB-2029], [CyVDB-2071], [CyVDB-2085], [CyVDB-2092], [CyVDB-2099], [CyVDB-2234], [CyVDB-2245], [CyVDB-2283], [CyVDB-2368], [CyVDB-2374], [CyVDB-2388], [CyVDB-2406], [CyVDB-2407], [CyVDB-2446], [CyVDB-2448])
- Cybozu Garoon 4.6.0 to 5.0.2 ([CyVDB-2103], [CyVDB-2568], [CyVDB-2659])
- Cybozu Garoon 4.0.0 to 5.5.0 ([CyVDB-2193], [CyVDB-2755], [CyVDB-2766])
- Cybozu Garoon 4.10.0 to 5.5.0 ([CyVDB-2479], [CyVDB-2903])
|
|
* [CyVDB-1782], [CyVDB-2193], [CyVDB-2406], [CyVDB-2407], [CyVDB-2446], [CyVDB-2568], [CyVDB-2659], [CyVDB-2766]:
An arbitrary script may be executed on a logged-in user's web browser.
* [CyVDB-2029]:
A user who can log in to the product may alter the data of Workflow without the appropriate privilege.
* [CyVDB-2071]:
A user who can log in to the product may obtain the data of Portal without the viewing privilege.
* [CyVDB-2085]:
A user who can log in to the product may obtain the data of Address without the viewing privilege.
* [CyVDB-2092], [CyVDB-2283]:
A user who can log in to the product may alter the data of E-mail without the appropriate privilege.
* [CyVDB-2099]:
If a user views a malicious page while logged in, unintended operations may be performed.
* [CyVDB-2103]:
A user who can log in to the product may alter the data of Bulletin without the appropriate privilege.
* [CyVDB-2234]:
A user who can log in to the product may alter the data of User Profile without the appropriate privilege.
* [CyVDB-2245], [CyVDB-2374]:
A user who can log in to the product with administrative privilege may alter the data of E-mail without the appropriate privilege.
* [CyVDB-2368]:
A user who can log in to the product may alter the data of Portal without the appropriate privilege.
* [CyVDB-2388]:
A remote attacker may obtain the data of Attaching Files.
* [CyVDB-2448]:
A user who can log in to the product may delete the data of Scheduler and MultiReport without the appropriate privilege.
* [CyVDB-2479]:
A user who can log in to the product may obtain the title of Bulletin without the viewing privilege.
* [CyVDB-2755]:
A user who can log in to the product may delete the route information of Workflow without the appropriate privilege.
* [CyVDB-2903]:
A user who can log in to the product may obtain the data of Comment and Space without the viewing privilege.
|
[Update the Software]
Update to the latest version according to the information provided by the developer.
|
Cybozu, Inc.
|
- Improper Input Validation(CWE-20) [IPA Evaluation]
- Permissions(CWE-264) [IPA Evaluation]
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2021-20753
- CVE-2021-20754
- CVE-2021-20755
- CVE-2021-20756
- CVE-2021-20757
- CVE-2021-20758
- CVE-2021-20759
- CVE-2021-20760
- CVE-2021-20761
- CVE-2021-20762
- CVE-2021-20763
- CVE-2021-20764
- CVE-2021-20765
- CVE-2021-20766
- CVE-2021-20767
- CVE-2021-20768
- CVE-2021-20769
- CVE-2021-20770
- CVE-2021-20771
- CVE-2021-20772
- CVE-2021-20773
- CVE-2021-20774
- CVE-2021-20775
|
- JVN : JVN#54794245
- National Vulnerability Database (NVD) : CVE-2021-20753
- National Vulnerability Database (NVD) : CVE-2021-20754
- National Vulnerability Database (NVD) : CVE-2021-20755
- National Vulnerability Database (NVD) : CVE-2021-20756
- National Vulnerability Database (NVD) : CVE-2021-20757
- National Vulnerability Database (NVD) : CVE-2021-20758
- National Vulnerability Database (NVD) : CVE-2021-20759
- National Vulnerability Database (NVD) : CVE-2021-20760
- National Vulnerability Database (NVD) : CVE-2021-20761
- National Vulnerability Database (NVD) : CVE-2021-20762
- National Vulnerability Database (NVD) : CVE-2021-20763
- National Vulnerability Database (NVD) : CVE-2021-20766
- National Vulnerability Database (NVD) : CVE-2021-20767
- National Vulnerability Database (NVD) : CVE-2021-20768
- National Vulnerability Database (NVD) : CVE-2021-20769
- National Vulnerability Database (NVD) : CVE-2021-20770
- National Vulnerability Database (NVD) : CVE-2021-20771
- National Vulnerability Database (NVD) : CVE-2021-20772
- National Vulnerability Database (NVD) : CVE-2021-20773
- National Vulnerability Database (NVD) : CVE-2021-20774
- National Vulnerability Database (NVD) : CVE-2021-20775
- National Vulnerability Database (NVD) : CVE-2021-20764
- National Vulnerability Database (NVD) : CVE-2021-20765
|
- [2021/08/02]
Web page was published
- [2022/05/24]
Overview was modified
|