CVE-2021-20800

Vulnerability

Cybozu Remote Service 3.1.8 contains a stored cross-site scripting (XSS) vulnerability in the management screen [1][2]. The issue, tracked as CyVDB-1810, allows a remote authenticated attacker to inject arbitrary scripts into the application. The vulnerability is present in version 3.1.8 only, as indicated by the advisory [1][2].

Exploitation

An attacker must have a valid account with at least basic privileges to access the management screen. No specific authentication level beyond a standard user login is required [2]. The attack vector is network-based with low complexity, but the attacker must convince a victim user (who may be a different authenticated user) to view a page containing the injected script, as user interaction is required [2]. The exact injection point and steps are not publicly disclosed by the vendor to prevent exploitation [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session [2]. This can lead to read or modify restricted information, perform actions on behalf of the victim, or achieve further compromise within the affected application. The CVSS v3 base score is 5.4 (Medium), with low impacts on confidentiality and integrity, and no impact on availability [2]. The scope is changed, meaning the injected script can affect resources beyond the vulnerable component [2].

Mitigation

The vulnerability is fixed in Cybozu Remote Service 4.0.0, released on 2021-09-29 [2]. Users should upgrade to version 4.0.0 or later. For versions prior to 3.1.8, the vulnerability does not apply; only version 3.1.8 is affected [1][2]. There is no known workaround published. The vendor recommends applying the update as soon as possible [2].