CVE-2021-20799

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the management screen of Cybozu Remote Service versions 3.1.8 to 3.1.9 [1]. An authenticated remote attacker can inject an arbitrary script via unspecified vectors in the management screen interface [2]. The vulnerability is classified as CWE-79 (Cross-site Scripting) [1].

Exploitation

The attacker must be authenticated with at least basic user privileges to the Cybozu Remote Service management screen [2]. The attack requires user interaction from the victim (e.g., clicking a crafted link) [1][2]. The attack complexity is low, as the attacker does not need special network position beyond standard HTTP access [1][2]. CVSS v3 vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (Base Score 5.4) [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the victim's browser within the context of the Cybozu Remote Service management interface [1][2]. This can lead to information disclosure (e.g., stealing session tokens) and partial integrity impact because the attacker can modify displayed content [2]. The CVSS scope is changed, meaning the impact may extend beyond the vulnerable component [1][2].

Mitigation

The vulnerability is fixed in Cybozu Remote Service version 4.0.0, released on 2021-09-29 [2]. Users should upgrade to version 4.0.0 or later [2]. No workaround or partial mitigation is documented in the available references. Affected versions are 3.1.8 and 3.1.9; end-of-life status is not indicated [1][2].