Cybozu Garoon does not properly restrict access to a schedule management API, which allows a remote attacker to delete the appointments of other users.
Cybozu Garoon 3.0 through 3.7.3
No Exploit Available
Improper restriction of APIs in Cybozu Garoon may allow a remota attacker to modify the appointments of other users. Normally, the appointments of other users would be inaccessible, but because the schedule management API is misconfigured, it mistakenly exposes sensitive information and the ability to modify that information to others.
BeyondTrust Prevention and Detection:
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
- 34011 - Cybozu Garoon 3.7 and Prior Security Bypass (Zero-Day)
No mitigations are currently available.