Vulnerability CVE-2008-6744


Published: 2009-04-23   Modified: 2009-08-19

Description:
Cross-site request forgery (CSRF) vulnerability in Cybozu Office 6, Cybozu Dezie before 6.0(1.0), and Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Type:

CWE-352

(Cross-Site Request Forgery (CSRF))

Vendor: Cybozu
Product: Cybozu dezie 
Version: 6;
Product: Cybozu office 
Version: 6;
Product: Cybozu garoon 
Version:
2.1.3
2.1.2
2.1.1
2.1.0
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://xforce.iss.net/xforce/xfdb/43438
http://secunia.com/advisories/30882
http://osvdb.org/46575
http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000033.html
http://jvn.jp/en/jp/JVN18405927/index.html
http://cybozu.co.jp/products/dl/notice/detail/0018.html
http://cybozu.co.jp/products/dl/notice/detail/0016.html

Related CVE
CVE-2016-4843
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain sensitive cookie information.
CVE-2016-4844
Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickjacking attacks.
CVE-2016-4842
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain information on when an email is read.
CVE-2016-1217
Cross-site scripting (XSS) vulnerability in the "Check available times" function in Cybozu Garoon before 4.2.2.
CVE-2016-1218
SQL injection vulnerability in Cybozu Garoon before 4.2.2.
CVE-2016-1220
Cybozu Garoon before 4.2.2 does not properly restrict access.
CVE-2016-1213
The "Scheduler" function in Cybozu Garoon before 4.2.2 allows remote attackers to redirect users to arbitrary websites.
CVE-2016-1214
Cross-site scripting (XSS) vulnerability in the "Response request" function in Cybozu Garoon before 4.2.2.

Copyright 2017, cxsecurity.com