VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 19, 2016· Updated May 6, 2026

CVE-2015-7776

CVE-2015-7776

Description

Cybozu Garoon 3.x and 4.x before 4.2.0 fails to restrict loading of IMG elements, allowing remote attackers to track users via crafted HTML email.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cybozu Garoon 3.x and 4.x before 4.2.0 fails to restrict loading of IMG elements, allowing remote attackers to track users via crafted HTML email.

Vulnerability

Cybozu Garoon versions 3.0.0 through 4.0.3 fail to properly restrict the loading of IMG elements in the mail function. This allows remote attackers to embed image tags in HTML email messages, which when viewed by a user, trigger requests to external servers. The affected versions are Cybozu Garoon 3.0.0 to 4.0.3 [1][2].

Exploitation

An attacker can send a crafted HTML email containing an IMG element that references a remote image URL. The attacker does not require any authentication or special network position; only user interaction is needed, specifically the user opening the email message in Garoon's mail viewer [1][2].

Impact

When the user views the email, the image URL is loaded, revealing to the attacker that the email was read. This results in low confidentiality impact as the attacker can track whether a user has opened a specific email, but no data is directly exposed or modified [1][2]. The CVSS v3 base score is 4.3 (Medium) with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N [2].

Mitigation

The vendor, Cybozu, has released a fix in version 4.2.0. Users should update to the latest version according to the developer's information [1][2]. No workaround is mentioned in the references.

References
  1. Cybozu Garoon fails to restrict access permissions
  2. JVNDB-2016-000085 - JVN iPedia

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

25
  • Cybozu/Garoon25 versions
    cpe:2.3:a:cybozu:garoon:3.0.0:*:*:*:*:*:*:*+ 24 more
    • cpe:2.3:a:cybozu:garoon:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:4.0.3:*:*:*:*:*:*:*
    • (no CPE)range: <4.2.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.