CVE-2021-20805

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the management screen of Cybozu Remote Service versions 3.1.7 to 3.1.9. The vulnerability allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. The attack requires the attacker to have low-privilege authentication to the management screen [1][2].

Exploitation

An attacker must be authenticated with low privileges (e.g., a basic user account) and must convince a victim user (likely an administrator) to interact with a crafted link or page. The exact exploitation steps have not been publicly disclosed by the vendor to prevent potential attacks [2]. The attack vector is network-based, with low complexity, but requires user interaction [2].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser session on the management screen. The CVSS v3 base score is 5.4 (Medium) with a changed scope, meaning the impact may extend beyond the vulnerable component. Confidentiality and integrity are rated low, as the attacker can read or modify limited information [2].

Mitigation

The vulnerability is fixed in Cybozu Remote Service version 4.0.0, released on September 29, 2021 [2]. Users should upgrade to version 4.0.0 or later. No workarounds have been provided by the vendor. The affected versions 3.1.7 to 3.1.9 are no longer supported [1][2].