Kanta Nishitani

**Name of the Vulnerable Software and Affected Versions** FitNesse versions all releases **Description** A cross-site scripting issue exists, potentially allowing a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with specially crafted multiple parameters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FitNesse all releases **Description** The issue allows a remote authenticated attacker to execute arbitrary OS commands. Note that this behavior is claimed by a contributor to be a product specification rather than a vulnerability, and this is under further investigation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FitNesse (all releases) **Description** The issue allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition due to improper restriction of XML external entity references. **Recommendations** For all releases, consider restricting or disabling XML external entity references to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v4.1.3 **Description** A stored cross-site scripting issue exists when processing profile images. If exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. **Recommendations** For versions prior to v4.1.3, update to version v4.1.3 or later to resolve the issue. As a temporary workaround, consider restricting the upload of profile images until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Cybozu Office versions 10.0.0 through 10.8.5 **Description** The system configuration of Cybozu Office contains an information disclosure issue, allowing a remote attacker to obtain product data via unspecified vectors. **Recommendations** For Cybozu Office versions 10.0.0 through 10.8.5, update to a version later than 10.8.5 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Unlimited Sitemap Generator versions prior to v8.2 Description: A cross-site request forgery (CSRF) issue allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operations via a specially crafted web page. Recommendations: For Unlimited Sitemap Generator versions prior to v8.2, update to version v8.2 or later to resolve the issue. As a temporary workaround, consider implementing additional authentication checks to minimize the risk of CSRF exploitation. Restrict access to administrative functions to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Cybozu Remote Service versions 3.0.0 through 3.1.9 Description: The issue allows remote attackers to redirect users to arbitrary web sites, potentially leading to phishing attacks. The attack vector is not specified. Recommendations: For versions 3.0.0 through 3.1.9, update to a version that contains a fix for this issue to prevent remote attackers from redirecting users to arbitrary web sites.

Name of the Vulnerable Software and Affected Versions: Cybozu Office versions 10.0.0 through 10.8.4 Description: The issue allows remote attackers to inject an arbitrary script via unspecified vectors, which is a cross-site scripting vulnerability in the Address Book of Cybozu Office. Recommendations: For Cybozu Office versions 10.0.0 through 10.8.4, update to a version later than 10.8.4 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cybozu Office versions 10.0.0 through 10.8.4 Description: A cross-site scripting issue in the Address Book of Cybozu Office allows remote attackers to inject an arbitrary script via unspecified vectors. This issue is specific to when Mozilla Firefox is used. Recommendations: For Cybozu Office versions 10.0.0 through 10.8.4, consider disabling the Address Book feature until a patch is available to prevent exploitation. Restrict access to the Address Book to minimize the risk of arbitrary script injection. Avoid using the Address Book with Mozilla Firefox until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cybozu Garoon versions 4.0.0 through 5.0.1 **Description** The issue allows remote attackers to obtain unintended information via unspecified vectors. **Recommendations** For versions 4.0.0 through 5.0.1, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cybozu Garoon versions 4.0.0 through 5.0.1 **Description** The issue allows remote authenticated attackers to bypass access restrictions, enabling them to view and/or alter Single sign-on settings. This is achieved via unspecified vectors. **Recommendations** For versions 4.0.0 through 5.0.1, consider restricting access to Single sign-on settings until a patch is available. As a temporary workaround, limit the ability to alter Single sign-on settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cybozu Garoon versions 4.6.0 through 4.6.3 **Description** A server-side request forgery (SSRF) issue allows a remote attacker with administrative privileges to issue arbitrary HTTP requests to other web servers via the V-CUBE Meeting function. This enables the attacker to potentially access or manipulate sensitive data on other web servers. **Recommendations** For Cybozu Garoon versions 4.6.0 through 4.6.3, consider restricting access to the V-CUBE Meeting function until a patch is available to prevent exploitation of the SSRF issue. As a temporary workaround, limit the administrative privileges to minimize the risk of arbitrary HTTP requests being issued to other web servers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cybozu Garoon versions 4.0.0 through 4.10.2 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the application 'Scheduler'. **Recommendations** For Cybozu Garoon versions 4.0.0 through 4.10.2, consider disabling the 'Scheduler' application as a temporary workaround until a patch is available. Restrict access to the 'Scheduler' module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cybozu Garoon versions 4.0.0 through 4.10.2 **Description** The issue allows an attacker with administrative rights to cause a denial of service condition via unspecified vectors. **Recommendations** For versions 4.0.0 through 4.10.2, update to a version that contains a fix for this issue to prevent a denial of service condition.

**Name of the Vulnerable Software and Affected Versions** Cybozu Garoon versions 3.0.0 through 4.10.0 **Description** The issue allows remote attackers to bypass access restrictions and view information that is only available to signed-on users through the Single sign-on function. **Recommendations** For Cybozu Garoon versions 3.0.0 through 4.10.0, consider restricting access to the Single sign-on function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cybozu Remote Service versions 3.0.0 through 3.1.8 **Description** An issue was found in the client certificates management screen, where an improper countermeasure against clickjacking attacks was discovered. This allows remote attackers to trick a user into deleting a registered client certificate. **Recommendations** For Cybozu Remote Service versions 3.0.0 through 3.1.8, update to a version that includes a proper countermeasure against clickjacking attacks to prevent remote attackers from tricking users into deleting registered client certificates.

**Name of the Vulnerable Software and Affected Versions** GROWI versions 3.1.11 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the modal for creating a Wiki page. **Recommendations** For GROWI versions 3.1.11 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GROWI versions 3.1.11 and earlier **Description** A cross-site scripting issue allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of the admin page. **Recommendations** For GROWI versions 3.1.11 and earlier, update to a version later than 3.1.11 to resolve the issue.