CVE-2016-4874 : Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a "reflect

Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a "reflected file download" attack.

Published 2017-04-17 15:59:01

Updated 2017-04-20 16:27:31

Source JPCERT/CC

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2016-4874

Cybozu » Office » Version: 9.0
cpe:2.3:a:cybozu:office:9.0:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 9.9.0
cpe:2.3:a:cybozu:office:9.9.0:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 10.0.0
cpe:2.3:a:cybozu:office:10.0.0:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 9.3.1
cpe:2.3:a:cybozu:office:9.3.1:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 9.2.1
cpe:2.3:a:cybozu:office:9.2.1:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 9.2.0
cpe:2.3:a:cybozu:office:9.2.0:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 9.1.0
cpe:2.3:a:cybozu:office:9.1.0:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 10.2.0
cpe:2.3:a:cybozu:office:10.2.0:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 10.1.2
cpe:2.3:a:cybozu:office:10.1.2:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 10.1.0
cpe:2.3:a:cybozu:office:10.1.0:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 10.0.2
cpe:2.3:a:cybozu:office:10.0.2:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 10.0.1
cpe:2.3:a:cybozu:office:10.0.1:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 10.3.0
cpe:2.3:a:cybozu:office:10.3.0:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 9.3.2
cpe:2.3:a:cybozu:office:9.3.2:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 9.3.0
cpe:2.3:a:cybozu:office:9.3.0:*:*:*:*:*:*:*
Matching versions
Cybozu » Office » Version: 10.4.0
cpe:2.3:a:cybozu:office:10.4.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-4874

EPSS FAQ

0.23%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 43 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-4874

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
3.5	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N	2.1	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2016-4874

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-4874

https://support.cybozu.com/ja-jp/article/9434

不具合情報公開サイト
Vendor Advisory
http://jvn.jp/en/jp/JVN11288252/index.html

JVN#11288252: Cybozu Office vulnerable to Reflected File Download (RFD)
Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/97719

Cybozu Office CVE-2016-4874 Arbitrary File Download Vulnerability
Third Party Advisory;VDB Entry
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000193.html

JVNDB-2016-000193 - JVN iPedia
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2016-4874

Products affected by CVE-2016-4874

Exploit prediction scoring system (EPSS) score for CVE-2016-4874

CVSS scores for CVE-2016-4874

CWE ids for CVE-2016-4874

References for CVE-2016-4874