Critical Vulnerability Information Vulnerability Name [CyVDB-2014] Email-related Cross-Site Scripting (XSS) Vulnerability Affected Versions 10.0.0 10.0.1 10.0.2 10.1.0 10.1.2 10.2.0 10.3.0 10.4.0 10.5.0 10.6.0 10.6.1 10.7.0 10.8.0 10.8.1 10.8.2 10.8.3 10.8.4 Fixed Version 10.8.5 Disclosure Date 2021-03-12 Update Date 2021-03-12 Details Vulnerability Description When exploited maliciously, this vulnerability may allow arbitrary script execution in a user's web browser while using Cybozu Office. Vulnerability Type Cross-Site Scripting (XSS) Basic Assessment Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None (no authentication required prior to attack, such as login) User Interaction (UI): Required Scope (S): Changed (impact may extend beyond the vulnerable component; scope is uncertain) Confidentiality Impact (C): Low (information disclosure possible, but limited impact) Integrity Impact (I): Low (tampering possible, but limited impact) Availability Impact (A): None CVSS Score 4.7 (Medium/Warning) Additional Notes To prevent exploitation, reproduction steps are not publicly disclosed. The Common Vulnerability Scoring System (CVSS) v3 was used for assessment. For more details on CVSS v3, see: https://www.ipa.go.jp/security/vuln/CVSSv3.html When CVSS score is below 6.9, upgrading to a newer version is recommended, but patches may not be released for older versions. Vulnerability Handling Policy https://cybozu.co.jp/company/security-policy/ CVE ID CVE-2021-20629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20629 Mitigation Measures Avoidance Method: This vulnerability will be fixed in the next version. Please check for version updates. - Cybozu Office version 10.8.5