CVE-2021-20801

Vulnerability

An XML External Entity (XXE) vulnerability exists in Cybozu Remote Service versions 3.1.8 and 3.1.9. The issue occurs only when the product is used with Mozilla Firefox. An authenticated attacker can exploit this vulnerability via unspecified vectors, leveraging the XXE to read internal files or interact with internal resources. This is tracked as [CyVDB-1811] in the vendor's documentation [1][2].

Exploitation

An attacker must be a remote authenticated user of Cybozu Remote Service and access the product using Mozilla Firefox. The attack complexity is low, no user interaction is required, and the attack is performed over the network. The exact sequence of steps has not been publicly disclosed by the vendor [1][2].

Impact

Successful exploitation allows the attacker to obtain information stored in the product by reading files or resources via XXE. The impact on confidentiality is rated as low (limited information disclosure). There is no impact on integrity or availability [1][2].

Mitigation

The vulnerability is fixed in Cybozu Remote Service version 4.0.0, released on 2021-09-29. No workarounds are provided. According to the vendor, no fix is planned for older versions because the CVSS base score is 4.3 (Medium) [2]. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.