Multiple vulnerabilities in Cybozu Mailwise
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU39157
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-4841
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
Cybozu Mailwise before 5.4.0 allows remote attackers to inject arbitrary email headers.
MitigationInstall update from vendor's website.
Vulnerable software versionsMailwise: 5.0.0 - 5.3.2
CPE2.3- cpe:2.3:a:cybozu:mailwise:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:mailwise:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:mailwise:5.0.4:*:*:*:*:*:*:*
https://jvn.jp/en/jp/JVN01353821/index.html
https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000135.html
https://www.securityfocus.com/bid/92459
https://support.cybozu.com/ja-jp/article/9607
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU39163
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-4842
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain information on when an email is read.
MitigationInstall update from vendor's website.
Vulnerable software versionsMailwise: 5.0.0 - 5.3.2
CPE2.3- cpe:2.3:a:cybozu:mailwise:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:mailwise:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:mailwise:5.0.4:*:*:*:*:*:*:*
https://jvn.jp/en/jp/JVN02576342/index.html
https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000136.html
https://www.securityfocus.com/bid/92460
https://support.cybozu.com/ja-jp/article/9606
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU39164
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-4843
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain sensitive cookie information.
MitigationInstall update from vendor's website.
Vulnerable software versionsMailwise: 5.0.0 - 5.3.2
CPE2.3- cpe:2.3:a:cybozu:mailwise:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:mailwise:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:mailwise:5.0.4:*:*:*:*:*:*:*
https://jvn.jp/en/jp/JVN03052683/index.html
https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000137.html
https://www.securityfocus.com/bid/92461
https://support.cybozu.com/ja-jp/article/9654
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU39165
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-4844
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickjacking attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsMailwise: 5.0.0 - 5.3.2
CPE2.3- cpe:2.3:a:cybozu:mailwise:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:mailwise:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:mailwise:5.0.4:*:*:*:*:*:*:*
https://jvn.jp/en/jp/JVN04125292/index.html
https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000138.html
https://www.securityfocus.com/bid/92462
https://support.cybozu.com/ja-jp/article/9605
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
