JVN#35265756
Multiple vulnerabilities in Cybozu Garoon

Overview

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

CVE-2026-20711, CVE-2026-22888

• Cybozu Garoon 5.0.0 to 6.0.3

• Cybozu Garoon 5.15.0 to 6.0.3

Description

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

• Cross-site scripting vulnerability in E-mail (CWE-79)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Base Score 6.9
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Base Score 6.5
  • CVE-2026-20711
  • CyVDB-3687
• Cross-site scripting vulnerability in Message (CWE-79)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Base Score 6.8
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Base Score 5.7
  • CVE-2026-22881
  • CyVDB-3689
• Improper input verification in Portal setting (CWE-231)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Base Score 6.9
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Base Score 4.9
  • CVE-2026-22888
  • CyVDB-3995

Impact

• An attacker could exploit a cross-site scripting vulnerability to reset arbitrary users’ passwords. (CVE-2026-20711, CVE-2026-22881)
• Data related to portal settings may be altered, potentially blocking access to the product. (CVE-2026-22888)

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.