CVE-2021-20797

Vulnerability

CVE-2021-20797 is a cross-site script inclusion vulnerability (CWE-829) in the management screen of Cybozu Remote Service version 3.1.8. The issue occurs only when the product is accessed using Mozilla Firefox. An authenticated attacker can exploit this flaw to include a script from the management screen, leading to unintended information disclosure [1][2].

Exploitation

An attacker with low-privileged authentication to the Cybozu Remote Service can craft a malicious page or link. When another authenticated user views this content in Mozilla Firefox, the attacker’s script includes a resource from the management screen, causing the victim’s browser to send sensitive data to the attacker. User interaction is required, and the attack is performed over the network [1].

Impact

Successful exploitation allows the attacker to obtain information stored in the product. The CVSS v3 base score is 5.4 (Medium), with low confidentiality and low integrity impact, and no impact on availability. The scope is changed, meaning the compromise can affect resources beyond the vulnerable component [1].

Mitigation

The vulnerability is fixed in Cybozu Remote Service version 4.0.0, released on 2021-09-29 [2]. Users running version 3.1.8 should upgrade to 4.0.0 or later. No workaround is documented. The affected version is limited to 3.1.8; later versions (3.1.9) are not affected [1][2].