Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-33311: Multiple vulnerabilities in Cybozu Office

Browse restriction bypass vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Address Book via unspecified vectors.

CVE
Open in Source
#xss#vulnerability#web#auth

Published:2022/07/20 Last Updated:2022/07/21

Overview

Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

  • Cybozu Office 10.0.0 to 10.8.5

Description

Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

  • [CyVDB-839][CyVDB-2300][CyVDB-3109] Browse restriction bypass vulnerability in Cabinet (CWE-284) - CVE-2022-32283

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Base Score: 4.3

    CVSS v2

    AV:N/AC:L/Au:S/C:P/I:N/A:N

    Base Score: 4.0

  • [CyVDB-1795] Operation restriction bypass vulnerability in Project (CWE-285) - CVE-2022-32544

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Base Score: 4.3

    CVSS v2

    AV:N/AC:L/Au:S/C:N/I:P/A:N

    Base Score: 4.0

  • [CyVDB-1800][CyVDB-2798][CyVDB-2927] Browse restriction bypass vulnerability in Custom App (CWE-284) - CVE-2022-29891

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Base Score: 4.3

    CVSS v2

    AV:N/AC:L/Au:S/C:P/I:N/A:N

    Base Score: 4.0

  • [CyVDB-1849] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-33151

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Base Score: 6.1

    CVSS v2

    AV:N/AC:H/Au:N/C:N/I:P/A:N

    Base Score: 2.6

  • [CyVDB-1851][CyVDB-1856][CyVDB-1873][CyVDB-1944][CyVDB-2173] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-28715

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Base Score: 6.1

    CVSS v2

    AV:N/AC:H/Au:N/C:N/I:P/A:N

    Base Score: 2.6

  • [CyVDB-1859] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-30604

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Base Score: 6.1

    CVSS v2

    AV:N/AC:H/Au:N/C:N/I:P/A:N

    Base Score: 2.6

  • [CyVDB-2030] HTTP header injection vulnerability (CWE-113) - CVE-2022-32453

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Base Score: 6.1

    CVSS v2

    AV:N/AC:H/Au:N/C:N/I:P/A:N

    Base Score: 2.6

  • [CyVDB-2152][CyVDB-2153][CyVDB-2154][CyVDB-2155] Information disclosure vulnerability in the system configuration (CWE-200) - CVE-2022-30693

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    Base Score: 5.3

    CVSS v2

    AV:N/AC:L/Au:N/C:P/I:N/A:N

    Base Score: 5.0

  • [CyVDB-2693] Operation restriction bypass vulnerability in Scheduler (CWE-285) - CVE-2022-32583

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Base Score: 4.3

    CVSS v2

    AV:N/AC:L/Au:S/C:N/I:P/A:N

    Base Score: 4.0

  • [CyVDB-2695][CyVDB-2819] Browse restriction bypass vulnerability in Scheduler (CWE-284) - CVE-2022-25986

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Base Score: 4.3

    CVSS v2

    AV:N/AC:L/Au:S/C:P/I:N/A:N

    Base Score: 4.0

  • [CyVDB-2770] Browse restriction bypass vulnerability in Address Book (CWE-284) - CVE-2022-33311

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Base Score: 4.3

    CVSS v2

    AV:N/AC:L/Au:S/C:P/I:N/A:N

    Base Score: 4.0

  • [CyVDB-2939] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-29487

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Base Score: 6.1

    CVSS v2

    AV:N/AC:H/Au:N/C:N/I:P/A:N

    Base Score: 2.6

Impact

  • [CyVDB-839], [CyVDB-2300], [CyVDB-3109]:
    A user who can log in to the product may obtain the data of Cabinet.
  • [CyVDB-1795]:
    A user who can log in to the product may alter the data of Project.
  • [CyVDB-1800], [CyVDB-2798], [CyVDB-2927]:
    A user who can log in to the product may obtain the data of Custom App.
  • [CyVDB-1849], [CyVDB-1851], [CyVDB-1856], [CyVDB-1859], [CyVDB-1873], [CyVDB-1944], [CyVDB-2173], [CyVDB-2939]:
    An arbitrary script may be executed on a logged-in user’s web browser.
  • [CyVDB-2030]:
    A remote attacker may obtain and/or alter the data of the product.
  • [CyVDB-2152], [CyVDB-2153], [CyVDB-2154], [CyVDB-2155]:
    A remote attacker may obtain the data of the product.
  • [CyVDB-2693]:
    A user who can log in to the product may alter the data of Scheduler.
  • [CyVDB-2695], [CyVDB-2819]:
    A user who can log in to the product may obtain the data of Scheduler.
  • [CyVDB-2770]:
    A user who can log in to the product may obtain the data of Address Book.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2022-28715, CVE-2022-30604, CVE-2022-32453, CVE-2022-33151
Masato Kinugawa reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

CVE-2022-29891, CVE-2022-32544, CVE-2022-32583
Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

CVE-2022-30693
Kanta Nishitani of Ierae Security Inc. reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2022-29487, CVE-2022-25986, CVE-2022-32283, CVE-2022-33311
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.

Other Information

Update History

2022/07/21

Information under the section [Description] was fixed.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE