VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Feb 17, 2016· Updated May 6, 2026

CVE-2015-8487

CVE-2015-8487

Description

Cybozu Office 9.0.0–10.3 discloses CSRF tokens to remote attackers via unspecified vectors, enabling further attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cybozu Office 9.0.0–10.3 discloses CSRF tokens to remote attackers via unspecified vectors, enabling further attacks.

Vulnerability

Cybozu Office versions 9.0.0 through 10.3 contain an information disclosure vulnerability that allows remote attackers to discover cross-site request forgery (CSRF) protection tokens via unspecified vectors [1][2][3]. This vulnerability is distinct from CVE-2015-8488 [1][2].

Exploitation

An attacker must trick a logged-in user into viewing a specially crafted page [1][2]. No authentication or network position beyond standard web access is required [2]. When the user visits the malicious page, the CSRF token is disclosed to the attacker [1][2].

Impact

Successful exploitation results in the disclosure of the CSRF token [1][2]. With the token, the attacker can perform further attacks such as forging requests on behalf of the victim, potentially leading to unauthorized actions [1][2]. The confidentiality impact is low; integrity and availability are not directly affected [2].

Mitigation

For on-premises installations, the vulnerability is fixed in Cybozu Office version 10.4.0 [3]. For Cybozu Office on cybozu.com, the fix was applied during maintenance in October 2015 [3]. Users should update to the latest version as recommended by the vendor [1][2][3].

References
  1. Cybozu Office vulnerable to information disclosure
  2. JVNDB-2016-000022 - JVN iPedia
  3. 製品内の特定の機能を利用して、CSRF対策用のトークンを漏えいさせることができる【CyVDB-1008】(2015/12/7) | サイボウズからのお知らせ

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

16
  • Cybozu/Office16 versions
    cpe:2.3:a:cybozu:office:10.0.0:*:*:*:*:*:*:*+ 15 more
    • cpe:2.3:a:cybozu:office:10.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:10.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:10.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:10.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:10.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:10.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:10.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:9.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:9.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:9.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:9.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:9.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:9.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:office:9.9.0:*:*:*:*:*:*:*
    • (no CPE)range: >=9.0.0, <=10.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.