Garoon
CVE-2016-4907
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Cybozu Garoon 3.0.0 to 4.2.2 allow remote attackers to obtain CSRF tokens via unspecified vectors.
AnalysisAI
Cybozu Garoon 3.0.0 to 4.2.2 allow remote attackers to obtain CSRF tokens via unspecified vectors. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Cybozu Garoon 3.0.0 to 4.2.2 allow remote attackers to obtain CSRF tokens via unspecified vectors. Affected products include: Cybozu Garoon.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
The CGI component in Cybozu Garoon 3.1.0 through 3.7 SP3 allows remote attackers to execute arbitrary commands via unspe
Cybozu Garoon before 4.2.2 allows remote attackers to bypass login authentication via vectors related to API use. Rated
Cybozu Garoon 4.2.4 to 4.10.1 allow remote attackers to obtain the users' credential information via the authentication
SQL injection vulnerability in the Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to execute arbitra
Cross-site scripting vulnerability in Cybozu Garoon 5.0.0 to 5.15.2 allows a remote authenticated attacker with an admin
SQL injection vulnerability in Cybozu Garoon before 4.2.2. Rated high severity (CVSS 8.8), this vulnerability is remotel
SQL injection vulnerability in the Notifications application in the Cybozu Garoon 3.5.0 to 4.6.2 allows remote authentic
SQL injection vulnerability in the Cybozu Garoon 3.5.0 to 4.2.6 allows remote authenticated attackers to execute arbitra
Cybozu Garoon 4.0.0 to 4.6.3 allows authenticated attackers to alter the information with privileges invoking the instal
Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 allows remote authenticated users to execute arbitrary PHP code vi
The RSS Reader component in Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 allows remote authenticated users to e
Cybozu Garoon 3.x and 4.x before 4.2.1 allows remote authenticated users to bypass intended restrictions on reading, cre
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today