CVE-2021-20806

Vulnerability

Cybozu Remote Service versions 3.0.0 to 3.1.9 are affected by an open redirect vulnerability (CVE-2021-20806) [1][2]. This issue exists in unspecified functionality, allowing remote attackers to craft URLs that redirect users to arbitrary external sites [2]. The vulnerability requires network access and high attack complexity, with no privileges or user interaction needed [2]. The affected versions are 3.0.0, 3.0.1, 3.1.0 through 3.1.9 [2].

Exploitation

An attacker can exploit this vulnerability by sending a crafted URL to a victim [2]. No authentication is required, and the attacker does not need any special privileges [2]. The attack complexity is rated as high, meaning specific conditions may be needed to trigger the redirect [2]. The vendor has not published reproduction steps to prevent attacks [2].

Impact

Successful exploitation can cause unintended redirects, allowing the attacker to redirect users to malicious websites for phishing or other social engineering attacks [2]. The integrity impact is low, but the scope may change, meaning the redirected user could interact with a different security context [2]. Confidentiality and availability are not affected [2].

Mitigation

The vulnerability is fixed in Cybozu Remote Service version 4.0.0, released on 2021-09-29 [2]. Users are strongly advised to update to the latest version [2]. There is no information about workarounds for unpatched versions [2].