Cybozu Garoon Session Fixation and Cross Site Scripting Vulnerabilities
BID:29981
Info
Cybozu Garoon Session Fixation and Cross Site Scripting Vulnerabilities
| Bugtraq ID: | 29981 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-6569 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 27 2008 12:00AM |
| Updated: | May 07 2015 05:27PM |
| Credit: | JVN |
| Vulnerable: |
Cybozu Garoon 2.1.3 Cybozu Garoon 2.1.1 Cybozu Garoon 2.1 |
| Not Vulnerable: | |
Discussion
Cybozu Garoon Session Fixation and Cross Site Scripting Vulnerabilities
Cybozu Garoon is prone to multiple vulnerabilities, including a session-fixation vulnerability and a cross-site scripting vulnerability.
An attacker may leverage the session-fixation issue to hijack a session of an unsuspecting user. The attacker may exploit the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Cybozu Garoon 2.1.3 and prior versions are vulnerable.
Cybozu Garoon is prone to multiple vulnerabilities, including a session-fixation vulnerability and a cross-site scripting vulnerability.
An attacker may leverage the session-fixation issue to hijack a session of an unsuspecting user. The attacker may exploit the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Cybozu Garoon 2.1.3 and prior versions are vulnerable.
Exploit / POC
Cybozu Garoon Session Fixation and Cross Site Scripting Vulnerabilities
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
Solution / Fix
Cybozu Garoon Session Fixation and Cross Site Scripting Vulnerabilities
Solution:
Reports indicate that the vendor has released an updated. Please contact the vendor for more information.
Solution:
Reports indicate that the vendor has released an updated. Please contact the vendor for more information.
References
Cybozu Garoon Session Fixation and Cross Site Scripting Vulnerabilities
References:
References:
- Cybozu Garoon Download page (Cybozu)
- Cybozu Home Page (Cybozu)
- Garoon Homepage (Cybozu)
- JVN#18700809 (Cybozu)
- JVN#52363223 (Cybozu)
- Cybozu advisory (Cybozu)
- Cybozu advisory (Cybozu)