CVE-2021-20795

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the management screen of Cybozu Remote Service versions 3.1.8 to 3.1.9 [1]. This flaw allows a remote attacker to hijack the authentication of administrators, enabling unintended operations to be performed via unspecified vectors [1][2]. The vulnerability is categorized as CWE-352 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious request that leverages the authenticated session of an administrator. The attack requires user interaction, as the administrator must open a specially crafted link or page while logged in to the management screen [1][2]. No authentication or special privileges are required on the attacker's part, as the attack is performed against an authenticated session [1].

Impact

Successful exploitation allows an attacker to perform unintended operations on the affected management screen with the administrator's privileges. The impact is limited to integrity — the attacker can modify system settings or data, but there is no impact on confidentiality or availability [1]. The attack does not change the scope of the affected component [2].

Mitigation

Cybozu has addressed this vulnerability in version 4.0.0 of Cybozu Remote Service, released on 2021-09-29 [2]. Users running versions 3.1.8 to 3.1.9 should upgrade to version 4.0.0 or later. According to the vendor, no fix is planned for older versions of Remote Service [2].