cvelistv5 - cve-2018-16172

CVE-2018-16172 (GCVE-0-2018-16172)

Vulnerability from cvelistv5

Published

2019-01-09 22:00

Modified

2024-08-05 10:17

Severity ?

CWE

User Interface (UI) Misrepresentation of Critical Information

Summary

Improper countermeasure against clickjacking attack in client certificates management screen was discovered in Cybozu Remote Service 3.0.0 to 3.1.8, that allows remote attackers to trick a user to delete the registered client certificate.

References

►

URL

Tags

	https://kb.cybozu.support/article/35260/	x_refsource_MISC
	https://jvn.jp/en/jp/JVN23161885/index.html	third-party-advisory, x_refsource_JVN

Impacted products

	Vendor	Product	Version
	Cybozu, Inc.	Cybozu Remote Service	Version: 3.0.0 to 3.1.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:17:38.320Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kb.cybozu.support/article/35260/"
          },
          {
            "name": "JVN#23161885",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVN",
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN23161885/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cybozu Remote Service",
          "vendor": "Cybozu, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.0 to 3.1.8"
            }
          ]
        }
      ],
      "datePublic": "2019-01-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper countermeasure against clickjacking attack in client certificates management screen was discovered in Cybozu Remote Service 3.0.0 to 3.1.8, that allows remote attackers to trick a user to delete the registered client certificate."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "User Interface (UI) Misrepresentation of Critical Information",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-01-09T21:57:01",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kb.cybozu.support/article/35260/"
        },
        {
          "name": "JVN#23161885",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVN"
          ],
          "url": "https://jvn.jp/en/jp/JVN23161885/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2018-16172",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cybozu Remote Service",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "3.0.0 to 3.1.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cybozu, Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper countermeasure against clickjacking attack in client certificates management screen was discovered in Cybozu Remote Service 3.0.0 to 3.1.8, that allows remote attackers to trick a user to delete the registered client certificate."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "User Interface (UI) Misrepresentation of Critical Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kb.cybozu.support/article/35260/",
              "refsource": "MISC",
              "url": "https://kb.cybozu.support/article/35260/"
            },
            {
              "name": "JVN#23161885",
              "refsource": "JVN",
              "url": "https://jvn.jp/en/jp/JVN23161885/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2018-16172",
    "datePublished": "2019-01-09T22:00:00",
    "dateReserved": "2018-08-30T00:00:00",
    "dateUpdated": "2024-08-05T10:17:38.320Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-16172

Vulnerability from jvndb

Published

2018-12-10 14:26

Modified

2019-08-27 11:48

Severity ?

8.8 (High) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Multiple vulnerabilities in Cybozu Remote Service

Details

Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below. * Upload of arbitrary files in logo setting screen (CWE-434) - CVE-2018-16169 * Directory traversal in used device management screen (CWE-22) - CVE-2018-16170 * Directory traversal in client certificates registration function (CWE-22) - CVE-2018-16171 * Improper countermeasure against clickjacking attack in client certificates management screen (CWE-451) - CVE-2018-16172 Cybozu, Inc. reported CVE-2018-16169 vulnerability to JPCERT/CC to notify users of the solution through JVN. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported CVE-2018-16170 and CVE-2018-16171 vulnerabilities to Cybozu, Inc., and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN. Kanta Nishitani reported CVE-2018-16172 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

References

►

Type

URL

	JVN	http://jvn.jp/en/jp/JVN23161885/index.html
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16169
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16170
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16171
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16172
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-16169
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-16170
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-16171
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-16172
	Path Traversal(CWE-22)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Code Injection(CWE-94)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

►

Vendor

Product

Cybozu, Inc.

Remote Service

Show details on JVN DB website