Vulnerability CVE-2016-4868


Published: 2017-04-17   Modified: 2017-04-20

Description:
Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to inject arbitrary email headers.

Vendor: Cybozu
Product: Office 
Version:
9.9.0
9.3.2
9.3.1
9.3.0
9.2.1
9.2.0
9.1.0
9.0
10.4.0
10.3.0
10.2.0
10.1.2
10.1.0
10.0.2
10.0.1
10.0.0

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://jvn.jp/en/jp/JVN08736331/index.html
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000190.html
http://www.securityfocus.com/bid/97713
https://support.cybozu.com/ja-jp/article/9433

Related CVE
CVE-2017-2115
Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers to bypass access restriction to obtain "customapp" information via unspecified vectors.
CVE-2017-2114
Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2017-2116
Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers to bypass access restriction to delete "customapp" templates via unspecified vectors.
CVE-2017-2109
Cybozu KUNAI for Android 3.0.4 to 3.0.5.1 allow remote attackers to obtain log information through a malicious Android application.
CVE-2017-2094
Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to bypass access restriction in Workflow and the "MultiReport" function to alter or delete information via unspecified vectors.
CVE-2017-2095
Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to bypass access restriction in the mail function leading to an alteration of the order of mail folders via unspecified vectors.
CVE-2017-2091
Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to bypass access restriction in Phone Messages function to alter the status of phone messages via unspecified vectors.
CVE-2017-2092
Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Copyright 2017, cxsecurity.com