Vulnerability CVE-2013-2305


Published: 2013-04-25

Description:
Cross-site request forgery (CSRF) vulnerability in Cybozu Office before 8.1.6 and 9.x before 9.3.0, Cybozu Dezie before 8.0.7, and Cybozu Mailwise before 5.0.4 allows remote attackers to hijack the authentication of arbitrary users for requests that change passwords.

Type:

CWE-352

(Cross-Site Request Forgery (CSRF))

Vendor: Cybozu
Product: Cybozu office 
Version:
9.2.1
9
8
7
6
Product: Cybozu dezie 
Version:
8.0.6
8.0.5
8.0.4
8.0.3
8.0.2
8.0.1
8.0.0
Product: Mailwise 
Version:
5.0
3.0(0.2)
3.0
2.1
2.0
1.0

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://jvndb.jvn.jp/jvndb/JVNDB-2013-000034
http://jvn.jp/en/jp/JVN06251813/index.html
http://jvn.jp/en/jp/JVN06251813/374951/index.html
http://cs.cybozu.co.jp/information/20130415up10.php

Related CVE
CVE-2018-16178
Cybozu Garoon 3.0.0 to 4.10.0 allows remote attackers to bypass access restriction to view information available only for a sign-on user via Single sign-on function.
CVE-2018-16172
Improper countermeasure against clickjacking attack in client certificates management screen was discovered in Cybozu Remote Service 3.0.0 to 3.1.8, that allows remote attackers to trick a user to delete the registered client certificate.
CVE-2018-16171
Directory traversal vulnerability in Cybozu Remote Service 3.0.0 to 3.1.8 allows remote attackers to execute Java code file on the server via unspecified vectors.
CVE-2018-16170
Directory traversal vulnerability in Cybozu Remote Service 3.0.0 to 3.1.8 for Windows allows remote authenticated attackers to read arbitrary files via unspecified vectors.
CVE-2018-16169
Cybozu Remote Service 3.0.0 to 3.1.0 allows remote authenticated attackers to upload and execute Java code file on the server via unspecified vectors.
CVE-2018-0705
Directory traversal vulnerability in Cybozu Dezie 8.0.2 to 8.1.2 allows remote attackers to read arbitrary files via HTTP requests.
CVE-2018-0704
Directory traversal vulnerability in Cybozu Office 10.0.0 to 10.8.1 allows remote attackers to delete arbitrary files via Keitai Screen.
CVE-2018-0703
Directory traversal vulnerability in Cybozu Office 10.0.0 to 10.8.1 allows remote attackers to delete arbitrary files via HTTP requests.

Copyright 2019, cxsecurity.com

 

Back to Top