[Japanese]

JVNDB-2022-000054

Multiple vulnerabilities in Cybozu Office

Overview

Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

* [CyVDB-839][CyVDB-2300][CyVDB-3109] Browse restriction bypass vulnerability in Cabinet (CWE-284) - CVE-2022-32283
* [CyVDB-1795] Operation restriction bypass vulnerability in Project (CWE-285) - CVE-2022-32544
* [CyVDB-1800][CyVDB-2798][CyVDB-2927] Browse restriction bypass vulnerability in Custom App (CWE-284) - CVE-2022-29891
* [CyVDB-1849] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-33151
* [CyVDB-1851][CyVDB-1856][CyVDB-1873][CyVDB-1944][CyVDB-2173] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-28715
* [CyVDB-1859] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-30604
* [CyVDB-2030] HTTP header injection vulnerability (CWE-113) - CVE-2022-32453
* [CyVDB-2152][CyVDB-2153][CyVDB-2154][CyVDB-2155] Information disclosure vulnerability in the system configuration (CWE-200) - CVE-2022-30693
* [CyVDB-2693] Operation restriction bypass vulnerability in Scheduler (CWE-285) - CVE-2022-32583
* [CyVDB-2695][CyVDB-2819] Browse restriction bypass vulnerability in Scheduler (CWE-284) - CVE-2022-25986
* [CyVDB-2770] Browse restriction bypass vulnerability in Address Book (CWE-284) - CVE-2022-33311
* [CyVDB-2939] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-29487

CVE-2022-28715, CVE-2022-30604, CVE-2022-32453, CVE-2022-33151
Masato Kinugawa reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

CVE-2022-29891, CVE-2022-32544, CVE-2022-32583
Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

CVE-2022-30693
Kanta Nishitani of Ierae Security Inc. reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2022-29487, CVE-2022-25986, CVE-2022-32283, CVE-2022-33311
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-30693

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-32283

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-32544

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-29891

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-33151

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-28715

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-30604

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-32453

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-32583

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-25986

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-33311

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-29487
Affected Products


Cybozu, Inc.
  • Cybozu Office 10.0.0 to 10.8.5

Impact

* [CyVDB-839], [CyVDB-2300], [CyVDB-3109]:
A user who can log in to the product may obtain the data of Cabinet.
* [CyVDB-1795]:
A user who can log in to the product may alter the data of Project.
* [CyVDB-1800], [CyVDB-2798], [CyVDB-2927]:
A user who can log in to the product may obtain the data of Custom App.
* [CyVDB-1849], [CyVDB-1851], [CyVDB-1856], [CyVDB-1859], [CyVDB-1873], [CyVDB-1944], [CyVDB-2173], [CyVDB-2939]:
An arbitrary script may be executed on a logged-in user's web browser.
* [CyVDB-2030]:
A remote attacker may obtain and/or alter the data of the product.
* [CyVDB-2152], [CyVDB-2153], [CyVDB-2154], [CyVDB-2155]:
A remote attacker may obtain the data of the product.
* [CyVDB-2693]:
A user who can log in to the product may alter the data of Scheduler.
* [CyVDB-2695], [CyVDB-2819]:
A user who can log in to the product may obtain the data of Scheduler.
* [CyVDB-2770]:
A user who can log in to the product may obtain the data of Address Book.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Cybozu, Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
  3. No Mapping(CWE-Other) [IPA Evaluation]
  4. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-25986
  2. CVE-2022-28715
  3. CVE-2022-29487
  4. CVE-2022-29891
  5. CVE-2022-30604
  6. CVE-2022-30693
  7. CVE-2022-32283
  8. CVE-2022-32453
  9. CVE-2022-32544
  10. CVE-2022-32583
  11. CVE-2022-33151
  12. CVE-2022-33311
References

  1. JVN : JVN#20573662
Revision History

  • [2022/07/20]
      Web page was published
  • [2022/07/21]
      Overview : Content was modified
      CWE : Content was modified

Date Public2022/07/20
Date First Published2022/07/20
Date Last Updated2022/07/21