CVE-2018-16169

Vulnerability

Cybozu Remote Service versions 3.0.0 to 3.1.0 contain an improper input validation vulnerability in the logo setting screen, allowing remote authenticated attackers to upload arbitrary files, including Java code [1][2]. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) [2].

Exploitation

An attacker must have valid credentials with at least basic privileges (PR:L) to access the management screen [1]. No user interaction is required (UI:N). The attack vector is network (AV:N) with low complexity (AC:L) [1][2]. The attacker can upload a malicious Java file through the logo setting screen, which is then executed on the server.

Impact

Successful exploitation leads to arbitrary Java code execution on the server, with high impact on confidentiality, integrity, and availability (CVSS v3 base score 8.8) [1][2]. The attacker can read, modify, or delete sensitive data and potentially take full control of the affected component.

Mitigation

Cybozu released version 3.1.1 which fixes this vulnerability [1]. Users should update to the latest version. No workarounds are mentioned in the references. The vulnerability is not listed in CISA KEV as of the publication date.