SB2026020273 - Multiple vulnerabilities in Cybozu Garoon

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2026-20711)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in E-mail. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Improper Handling of Extra Values (CVE-ID: CVE-2026-22888)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of data in Portal setting. A remote administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.

3) Cross-site scripting (CVE-ID: CVE-2026-22881)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Message. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) Cross-site scripting (CVE-ID: N/A)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in mobile view. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://jvn.jp/en/jp/JVN35265756/index.html
• https://kb.cybozu.support/article/39081/
• https://kb.cybozu.support/article/39083/
• https://kb.cybozu.support/article/39084/
• https://kb.cybozu.support/article/39082/