CVE-2015-5647
high
CVSS v3
—
CVSS v2
8.5
VIR risk
8.5
Description
The RSS Reader component in Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 allows remote authenticated users to execute arbitrary PHP code via unspecified vectors, aka CyVDB-866.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: vultures@jpcert.or.jp — https://support.cybozu.com/ja-jp/article/8810
Vendor advisory: vultures@jpcert.or.jp — http://jvndb.jvn.jp/jvndb/JVNDB-2015-000151
Vendor advisory: vultures@jpcert.or.jp — http://jvn.jp/en/jp/JVN21025396/index.html
Vendor advisory: vultures@jpcert.or.jp — http://jvn.jp/en/jp/JVN21025396/374951/index.html
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cybozu | garoon | 3.0.0 | |
| cybozu | garoon | 3.0.1 | |
| cybozu | garoon | 3.0.2 | |
| cybozu | garoon | 3.0.3 | |
| cybozu | garoon | 3.1.0 | |
| cybozu | garoon | 3.1.1 | |
| cybozu | garoon | 3.1.2 | |
| cybozu | garoon | 3.1.3 | |
| cybozu | garoon | 3.5.0 | |
| cybozu | garoon | 3.5.1 | |
| cybozu | garoon | 3.5.2 | |
| cybozu | garoon | 3.5.3 | |
| cybozu | garoon | 3.5.4 | |
| cybozu | garoon | 3.5.5 | |
| cybozu | garoon | 3.7.0 | |
| cybozu | garoon | 3.7.1 | |
| cybozu | garoon | 3.7.2 | |
| cybozu | garoon | 3.7.3 | |
| cybozu | garoon | 3.7.4 | |
| cybozu | garoon | 3.7.5 | |
| cybozu | garoon | 4.0.0 | |
| cybozu | garoon | 4.0.1 | |
| cybozu | garoon | 4.0.2 | |
| cybozu | garoon | 4.0.3 | |
References
- http://jvn.jp/en/jp/JVN21025396/374951/index.html
- http://jvn.jp/en/jp/JVN21025396/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2015-000151
- https://support.cybozu.com/ja-jp/article/8810
- http://jvn.jp/en/jp/JVN21025396/374951/index.html
- http://jvn.jp/en/jp/JVN21025396/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2015-000151
- https://support.cybozu.com/ja-jp/article/8810
CWEs
CWE-94
Verify integrity in audit chain (admin only). AS-IS.