CVE-2021-20798

Vulnerability

CVE-2021-20798 is a cross-site scripting (XSS) vulnerability in the management screen of Cybozu Remote Service versions 3.1.8 through 3.1.9 [1]. The issue is classified under CWE-79. An authenticated remote attacker can inject arbitrary script via unspecified vectors when the victim views a crafted page [2].

Exploitation

An attacker must be authenticated to the management screen and entice a victim (also authenticated) to click a malicious link or interact with crafted content. The attack vector is network-based, requires low privileges, and user interaction is required. The scope changes, meaning the injected script can affect resources outside the vulnerable component [1][2]. Specific exploitation steps are not publicly disclosed by the vendor to prevent attacks [2].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the victim's web browser within the context of the management screen. This can lead to information disclosure (low confidentiality impact), data modification (low integrity impact), and potential further actions due to the changed scope [1][2].

Mitigation

The vulnerability is fixed in Cybozu Remote Service version 4.0.0, released on 2021-09-29 [2]. Users should upgrade to version 4.0.0 or later. No workaround is provided for versions 3.1.8 and 3.1.9. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.