CVE-2016-1190
medium
CVSS v3
6.5
CVSS v2
4.0
VIR risk
6.5
Description
Cybozu Garoon 3.1 through 4.2 allows remote authenticated users to bypass intended restrictions on MultiReport reading via unspecified vectors.
Predictions
Exploit likelihood
75%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: vultures@jpcert.or.jp — https://support.cybozu.com/ja-jp/article/8877
Vendor advisory: vultures@jpcert.or.jp — http://jvndb.jvn.jp/jvndb/JVNDB-2016-000094
Vendor advisory: vultures@jpcert.or.jp — http://jvn.jp/en/jp/JVN18975349/index.html
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cybozu | garoon | 3.1.0 | |
| cybozu | garoon | 3.1.1 | |
| cybozu | garoon | 3.1.2 | |
| cybozu | garoon | 3.1.3 | |
| cybozu | garoon | 3.5.0 | |
| cybozu | garoon | 3.5.1 | |
| cybozu | garoon | 3.5.2 | |
| cybozu | garoon | 3.5.3 | |
| cybozu | garoon | 3.5.4 | |
| cybozu | garoon | 3.5.5 | |
| cybozu | garoon | 3.7.0 | |
| cybozu | garoon | 3.7.1 | |
| cybozu | garoon | 3.7.2 | |
| cybozu | garoon | 3.7.3 | |
| cybozu | garoon | 3.7.4 | |
| cybozu | garoon | 3.7.5 | |
| cybozu | garoon | 4.0.0 | |
| cybozu | garoon | 4.0.1 | |
| cybozu | garoon | 4.0.2 | |
| cybozu | garoon | 4.0.3 | |
| cybozu | garoon | 4.2.0 | |
References
- http://jvn.jp/en/jp/JVN18975349/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2016-000094
- https://garoon.cybozu.co.jp/support/update/package/421sp1.html#03
- https://support.cybozu.com/ja-jp/article/8877
- http://jvn.jp/en/jp/JVN18975349/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2016-000094
- https://garoon.cybozu.co.jp/support/update/package/421sp1.html#03
- https://support.cybozu.com/ja-jp/article/8877
CWEs
CWE-284
Verify integrity in audit chain (admin only). AS-IS.