IPA/ISEC：Vulnerabilities：Security Alert for Vulnerability in Multiple Cybozu Products

Published: April 20, 2010
>> JAPANESE

1.Overview

Cybozu Office 7 Ktai and Cybozu Dotsales, developed by Cybozu Inc., are groupware intended for corporate use. They have security vulnerability that allows an attacker to access the Cybozu system as a registered user using the user’s cell phone ID. If exploited, user’s personal information held in the Cybozu system may be disclosed to or altered by the malicious attacker.

Given the high potential impact of the vulnerability and the wide use of the Cybozu products in Japan, IPA has issued the security alert to raise awareness of a number of users who may be affected by this vulnerability.

For detailed information, refer to the following URL:
http://cybozu.co.jp/products/dl/notice/detail/0034.html (Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2010-000016

IPA and JPCERT Coordination Center (JPCERT/CC) received a report concerning this vulnerability directly from the product developer on April 15, 2010, in line with the Information Security Early Warning Partnership, and made the announcement public on April 20, 2010.

2.Impact

The user’s personal information held in the Cybozu system may be disclosed to or altered by a malicious attacker.

3.Solution

To fix this vulnerability, update to the fixed version or apply workaround following the instruction provided by the product developer.

4.CVSS Severity

(1)Evaluation Result

(2) Base Score Metrics

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as Permissions, Privileges, and Access Controls (CWE-264)".

Contact