Vulnerability CVE-2016-4874


Published: 2017-04-17   Modified: 2017-04-20

Description:
Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a "reflected file download" attack.

Vendor: Cybozu
Product: Office 
Version:
9.9.0
9.3.2
9.3.1
9.3.0
9.2.1
9.2.0
9.1.0
9.0
10.4.0
10.3.0
10.2.0
10.1.2
10.1.0
10.0.2
10.0.1
10.0.0

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://jvn.jp/en/jp/JVN11288252/index.html
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000193.html
http://www.securityfocus.com/bid/97719
https://support.cybozu.com/ja-jp/article/9434

Related CVE
CVE-2016-4843
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain sensitive cookie information.
CVE-2016-4844
Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickjacking attacks.
CVE-2016-4842
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain information on when an email is read.
CVE-2016-1217
Cross-site scripting (XSS) vulnerability in the "Check available times" function in Cybozu Garoon before 4.2.2.
CVE-2016-1218
SQL injection vulnerability in Cybozu Garoon before 4.2.2.
CVE-2016-1220
Cybozu Garoon before 4.2.2 does not properly restrict access.
CVE-2016-1213
The "Scheduler" function in Cybozu Garoon before 4.2.2 allows remote attackers to redirect users to arbitrary websites.
CVE-2016-1214
Cross-site scripting (XSS) vulnerability in the "Response request" function in Cybozu Garoon before 4.2.2.

Copyright 2017, cxsecurity.com