cvelistv5 - cve-2022-29513

cve-2022-29513

Vulnerability from cvelistv5

Published

2022-07-04 06:56

Modified

2024-08-03 06:26

Severity

Summary

Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script.

References

Source	URL	Tags
vultures@jpcert.or.jp	https://cs.cybozu.co.jp/2022/007429.html	Vendor Advisory
vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN73897863/index.html	Third Party Advisory

Impacted products

Vendor	Product
Cybozu, Inc.	Cybozu Garoon

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:26:06.276Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cs.cybozu.co.jp/2022/007429.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN73897863/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cybozu Garoon",
          "vendor": "Cybozu, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "4.10.0 to 5.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-04T06:56:38",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cs.cybozu.co.jp/2022/007429.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jvn.jp/en/jp/JVN73897863/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2022-29513",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cybozu Garoon",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "4.10.0 to 5.5.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cybozu, Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cs.cybozu.co.jp/2022/007429.html",
              "refsource": "MISC",
              "url": "https://cs.cybozu.co.jp/2022/007429.html"
            },
            {
              "name": "https://jvn.jp/en/jp/JVN73897863/index.html",
              "refsource": "MISC",
              "url": "https://jvn.jp/en/jp/JVN73897863/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2022-29513",
    "datePublished": "2022-07-04T06:56:38",
    "dateReserved": "2022-04-28T00:00:00",
    "dateUpdated": "2024-08-03T06:26:06.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-29513\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2022-07-04T07:15:08.763\",\"lastModified\":\"2022-07-12T14:45:07.407\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de tipo cross-site scripting en Scheduler de Cybozu Garoon versiones 4.10.0 a 5.5.1, permite a un atacante remoto autenticado con un privilegio administrativo ejecutar un script arbitrario\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":3.5},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cybozu:garoon:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10.0\",\"versionEndIncluding\":\"5.5.1\",\"matchCriteriaId\":\"F6FF8417-DE01-42B5-91AB-53DBFF23A3B2\"}]}]}],\"references\":[{\"url\":\"https://cs.cybozu.co.jp/2022/007429.html\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jvn.jp/en/jp/JVN73897863/index.html\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

ghsa-p666-f25r-h8ww

Vulnerability from github

Published

2022-07-05 00:00

Modified

2022-07-13 00:01

Severity

4.8 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-29513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-04T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script.",
  "id": "GHSA-p666-f25r-h8ww",
  "modified": "2022-07-13T00:01:53Z",
  "published": "2022-07-05T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29513"
    },
    {
      "type": "WEB",
      "url": "https://cs.cybozu.co.jp/2022/007429.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN73897863/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2022-29513

Vulnerability from jvndb

Published

2022-05-16 14:25

Modified

2024-06-17 16:34

Severity

5.3 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Multiple vulnerabilities in Cybozu Garoon

Details

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. * [CyVDB-1584][CyVDB-2670] Operation restriction bypass vulnerability in Bulletin (CWE-285) - CVE-2022-28718 * [CyVDB-1865][CyVDB-2692] Operation restriction bypass vulnerability in Workflow (CWE-285) - CVE-2022-27661 * [CyVDB-2660] Improper input validation vulnerability in Space (CWE-20) - CVE-2022-29892 * [CyVDB-2667] Cross-site scripting vulnerability in Scheduler (CWE-79) - CVE-2022-29513 * [CyVDB-2685] Browse restriction bypass vulnerability in Bulletin (CWE-284) - CVE-2022-29471 * [CyVDB-2689] Operation restriction bypass vulnerability in Portal (CWE-285) - CVE-2022-26051 * [CyVDB-2718] Improper input validation vulnerability in Scheduler (CWE-20) - CVE-2022-28692 * [CyVDB-2839] Improper input validation vulnerability in Space (CWE-20) - CVE-2022-27803 * [CyVDB-2841] Browse restriction bypass and operation restriction bypass vulnerability in Cabinet (CWE-285) - CVE-2022-26368 * [CyVDB-2889] Cross-site scripting vulnerability in Organization's Information (CWE-79) - CVE-2022-27627 * [CyVDB-2897] Operation restriction bypass vulnerability in Link (CWE-285) - CVE-2022-26054 * [CyVDB-2906] Improper input validation vulnerability in Link (CWE-20) - CVE-2022-27807 * [CyVDB-2932] Address information disclosure vulnerability (CWE-200) - CVE-2022-29467 * [CyVDB-2940] Improper authentication vulnerability in Scheduler (CWE-287) - CVE-2022-28713 * [CyVDB-3001] Operation restriction bypass vulnerability in Space (CWE-285) - CVE-2022-29484 * [CyVDB-2911] Browse restriction bypass vulnerability in Cabinet (CWE-284) - CVE-2022-31472 CVE-2022-27627 Masato Kinugawa reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. CVE-2022-26054, CVE-2022-26368, CVE-2022-31472 Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN. CVE-2022-26051, CVE-2022-27661, CVE-2022-27803, CVE-2022-27807, CVE-2022-28692, CVE-2022-28713, CVE-2022-28718, CVE-2022-29467, CVE-2022-29471, CVE-2022-29484, CVE-2022-29513, CVE-2022-29892 Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

References

Type	URL
JVN	http://jvn.jp/en/jp/JVN73897863/index.html
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26051
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26054
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26368
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27627
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27661
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27803
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27807
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28692
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28713
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28718
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29467
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29471
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29484
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29513
CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29892
CVE	https://www.cve.org/CVERecord?id=CVE-2022-31472
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-26051
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-26054
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-26368
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-27627
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-27661
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-27803
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-27807
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-28692
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-28713
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-28718
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-29467
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-29471
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-29484
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-29513
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-29892
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-31472
Improper Input Validation(CWE-20)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Information Exposure(CWE-200)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Permissions(CWE-264)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Improper Authentication(CWE-287)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor	Product
Cybozu, Inc.	Cybozu Garoon
Cybozu, Inc.	Cybozu Garoon
Cybozu, Inc.	Cybozu Garoon
Cybozu, Inc.	Cybozu Garoon
Cybozu, Inc.	Cybozu Garoon
Cybozu, Inc.	Cybozu Garoon

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000035.html",
  "dc:date": "2024-06-17T16:34+09:00",
  "dcterms:issued": "2022-05-16T14:25+09:00",
  "dcterms:modified": "2024-06-17T16:34+09:00",
  "description": "Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.\r\n\r\n* [CyVDB-1584][CyVDB-2670] Operation restriction bypass vulnerability in Bulletin (CWE-285) - CVE-2022-28718\r\n* [CyVDB-1865][CyVDB-2692] Operation restriction bypass vulnerability in Workflow (CWE-285) - CVE-2022-27661\r\n* [CyVDB-2660] Improper input validation vulnerability in Space (CWE-20) - CVE-2022-29892\r\n* [CyVDB-2667] Cross-site scripting vulnerability in Scheduler (CWE-79) - CVE-2022-29513\r\n* [CyVDB-2685] Browse restriction bypass vulnerability in Bulletin (CWE-284) - CVE-2022-29471\r\n* [CyVDB-2689] Operation restriction bypass vulnerability in Portal (CWE-285) - CVE-2022-26051\r\n* [CyVDB-2718] Improper input validation vulnerability in Scheduler (CWE-20) - CVE-2022-28692\r\n* [CyVDB-2839] Improper input validation vulnerability in Space (CWE-20) - CVE-2022-27803\r\n* [CyVDB-2841] Browse restriction bypass and operation restriction bypass vulnerability in Cabinet (CWE-285) - CVE-2022-26368\r\n* [CyVDB-2889] Cross-site scripting vulnerability in Organization\u0027s Information (CWE-79) - CVE-2022-27627\r\n* [CyVDB-2897] Operation restriction bypass vulnerability in Link (CWE-285) - CVE-2022-26054\r\n* [CyVDB-2906] Improper input validation vulnerability in Link (CWE-20) - CVE-2022-27807\r\n* [CyVDB-2932] Address information disclosure vulnerability (CWE-200) - CVE-2022-29467\r\n* [CyVDB-2940] Improper authentication vulnerability in Scheduler (CWE-287) - CVE-2022-28713\r\n* [CyVDB-3001] Operation restriction bypass vulnerability in Space (CWE-285) - CVE-2022-29484\r\n* [CyVDB-2911] Browse restriction bypass vulnerability in Cabinet (CWE-284) - CVE-2022-31472\r\n\r\nCVE-2022-27627\r\nMasato Kinugawa reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.\r\n\r\nCVE-2022-26054, CVE-2022-26368, CVE-2022-31472\r\nYuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.\r\n\r\nCVE-2022-26051, CVE-2022-27661, CVE-2022-27803, CVE-2022-27807, CVE-2022-28692, CVE-2022-28713, CVE-2022-28718, CVE-2022-29467, CVE-2022-29471, CVE-2022-29484, CVE-2022-29513, CVE-2022-29892\r\nCybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.",
  "link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000035.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:cybozu:garoon",
      "@product": "Cybozu Garoon",
      "@vendor": "Cybozu, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:cybozu:garoon",
      "@product": "Cybozu Garoon",
      "@vendor": "Cybozu, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:cybozu:garoon",
      "@product": "Cybozu Garoon",
      "@vendor": "Cybozu, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:cybozu:garoon",
      "@product": "Cybozu Garoon",
      "@vendor": "Cybozu, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:cybozu:garoon",
      "@product": "Cybozu Garoon",
      "@vendor": "Cybozu, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:cybozu:garoon",
      "@product": "Cybozu Garoon",
      "@vendor": "Cybozu, Inc.",
      "@version": "2.2"
    }
  ],
  "sec:cvss": [
    {
      "@score": "5.0",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
      "@version": "2.0"
    },
    {
      "@score": "5.3",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2022-000035",
  "sec:references": [
    {
      "#text": "http://jvn.jp/en/jp/JVN73897863/index.html",
      "@id": "JVN#73897863",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26051",
      "@id": "CVE-2022-26051",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26054",
      "@id": "CVE-2022-26054",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26368",
      "@id": "CVE-2022-26368",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27627",
      "@id": "CVE-2022-27627",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27661",
      "@id": "CVE-2022-27661",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27803",
      "@id": "CVE-2022-27803",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27807",
      "@id": "CVE-2022-27807",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28692",
      "@id": "CVE-2022-28692",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28713",
      "@id": "CVE-2022-28713",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28718",
      "@id": "CVE-2022-28718",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29467",
      "@id": "CVE-2022-29467",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29471",
      "@id": "CVE-2022-29471",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29484",
      "@id": "CVE-2022-29484",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29513",
      "@id": "CVE-2022-29513",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29892",
      "@id": "CVE-2022-29892",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2022-31472",
      "@id": "CVE-2022-31472",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-26051",
      "@id": "CVE-2022-26051",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-26054",
      "@id": "CVE-2022-26054",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-26368",
      "@id": "CVE-2022-26368",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-27627",
      "@id": "CVE-2022-27627",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-27661",
      "@id": "CVE-2022-27661",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-27803",
      "@id": "CVE-2022-27803",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-27807",
      "@id": "CVE-2022-27807",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-28692",
      "@id": "CVE-2022-28692",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-28713",
      "@id": "CVE-2022-28713",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-28718",
      "@id": "CVE-2022-28718",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-29467",
      "@id": "CVE-2022-29467",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-29471",
      "@id": "CVE-2022-29471",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-29484",
      "@id": "CVE-2022-29484",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-29513",
      "@id": "CVE-2022-29513",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-29892",
      "@id": "CVE-2022-29892",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-31472",
      "@id": "CVE-2022-31472",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-20",
      "@title": "Improper Input Validation(CWE-20)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-200",
      "@title": "Information Exposure(CWE-200)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-264",
      "@title": "Permissions(CWE-264)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-287",
      "@title": "Improper Authentication(CWE-287)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "Multiple vulnerabilities in Cybozu Garoon"
}

gsd-2022-29513

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script.

Aliases

CVE-2022-29513

Aliases

CVE-2022-29513

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-29513",
    "description": "Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script.",
    "id": "GSD-2022-29513"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-29513"
      ],
      "details": "Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script.",
      "id": "GSD-2022-29513",
      "modified": "2023-12-13T01:19:42.190973Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2022-29513",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Cybozu Garoon",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "4.10.0 to 5.5.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Cybozu, Inc."
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-site scripting"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://cs.cybozu.co.jp/2022/007429.html",
            "refsource": "MISC",
            "url": "https://cs.cybozu.co.jp/2022/007429.html"
          },
          {
            "name": "https://jvn.jp/en/jp/JVN73897863/index.html",
            "refsource": "MISC",
            "url": "https://jvn.jp/en/jp/JVN73897863/index.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:cybozu:garoon:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.5.1",
                "versionStartIncluding": "4.10.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2022-29513"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cs.cybozu.co.jp/2022/007429.html",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://cs.cybozu.co.jp/2022/007429.html"
            },
            {
              "name": "https://jvn.jp/en/jp/JVN73897863/index.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://jvn.jp/en/jp/JVN73897863/index.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.7,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-07-12T14:45Z",
      "publishedDate": "2022-07-04T07:15Z"
    }
  }
}

Action not permitted

cve-2022-29513

Vulnerability from cvelistv5

ghsa-p666-f25r-h8ww

Vulnerability from github

cve-2022-29513

Vulnerability from jvndb

gsd-2022-29513

Vulnerability from gsd

Tags