Description
Cross-site scripting vulnerability exists in Message function of Cybozu Garoon 5.15.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords.
Published: 2026-02-02
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that allows an attacker to reset arbitrary user passwords
Action: Apply Patch
AI Analysis

Impact

A client‑side cross‑site scripting flaw exists in the Message function of Cybozu Garoon versions 5.15.0 through 6.0.3. The flaw allows an attacker to insert malicious script that triggers a password reset for any user, thereby compromising account integrity and potentially threatening confidentiality if the attacker obtains the new credentials. This vulnerability is categorized as CWE‑79, an example of insufficient input validation leading to script injection.

Affected Systems

Cybozu, Inc. products Cybozu Garoon versions 5.15.0 to 6.0.3 are affected. Users deploying any of these releases need to verify their version and apply an update if one is available.

Risk and Exploitability

With a base CVSS score of 6.8, this vulnerability is considered medium severity. The EPSS score of less than 1% indicates that, at present, the likelihood of exploitation is very low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit would likely be carried out through a client‑side attack vector, requiring the attacker to deliver crafted content to a user with an active session. Verification of an active session or authentication may be necessary to successfully reset passwords. In the absence of a public exploit, the risk remains moderate until a exploit is detected.

Generated by OpenCVE AI on April 18, 2026 at 00:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Cybozu Garoon security update released in version 6.0.4 (or later) as described in the vendor KB article linked in the references.
  • If a patch is not immediately available, apply the input sanitization procedures recommended by Cybozu for the Message function to mitigate the XSS issue.
  • Restrict message‑posting permissions to trusted users and monitor password‑reset logs for suspicious activity to provide early detection of exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 00:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Title XSS in Cybozu Garoon Allows Password Reset

Thu, 19 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cybozu:garoon:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Cybozu
Cybozu cybozu Garoon
Cybozu garoon
Vendors & Products Cybozu
Cybozu cybozu Garoon
Cybozu garoon

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description Cross-site scripting vulnerability exists in Message function of Cybozu Garoon 5.15.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords.
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 5.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cybozu Cybozu Garoon Garoon
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-02T16:28:15.355Z

Reserved: 2026-01-27T00:34:57.021Z

Link: CVE-2026-22881

cve-icon Vulnrichment

Updated: 2026-02-02T15:14:03.353Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T07:16:45.337

Modified: 2026-02-19T15:00:54.530

Link: CVE-2026-22881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses