BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Cybozu Garoon API Security Bypass

Disclosed April 30, 2014    Zeroday : 185 days

Vulnerability Description:

Cybozu Garoon does not properly restrict access to a schedule management API, which allows a remote attacker to delete the appointments of other users.

Vendors:

Cybozu

Vulnerable Software/Devices:

Cybozu Garoon 3.0 through 3.7.3

Vulnerability Severity:

Medium

Exploit Availability:

No Exploit Available

Exploit Impact:

Security Bypass
Improper restriction of APIs in Cybozu Garoon may allow a remota attacker to modify the appointments of other users. Normally, the appointments of other users would be inaccessible, but because the schedule management API is misconfigured, it mistakenly exposes sensitive information and the ability to modify that information to others.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 34011 - Cybozu Garoon 3.7 and Prior Security Bypass (Zero-Day)

Mitigation:

No mitigations are currently available.

Links:

CVE(s):