VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 19, 2016· Updated May 6, 2026

CVE-2016-1196

CVE-2016-1196

Description

Cybozu Garoon 3.x and 4.x before 4.2.1 fails to restrict access to Address Book API, allowing authenticated users to view other users' contact data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cybozu Garoon 3.x and 4.x before 4.2.1 fails to restrict access to Address Book API, allowing authenticated users to view other users' contact data.

Vulnerability

Cybozu Garoon versions 3.0 through 4.2 (before 4.2.1) contain an access control vulnerability in the API used to retrieve Address Book information. The API does not properly verify permissions, allowing a remote authenticated user to bypass intended restrictions and access data belonging to other users. This issue is distinct from CVE-2015-7776. [1][2]

Exploitation

An attacker must have a valid user account on the Cybozu Garoon instance. No additional privileges or user interaction are required. The attacker can make a crafted API call to the Address Book endpoint, which will return information that should be restricted. The attack vector is network-based with low complexity. [1][2]

Impact

Successful exploitation allows the attacker to obtain other users' Address Book information, including potentially sensitive contact details. The confidentiality impact is low, as only Address Book data is exposed; integrity and availability are not affected. The scope remains unchanged. [1][2]

Mitigation

Cybozu has addressed this vulnerability in version 4.2.1 of Garoon. Users should update to the latest version as provided by the vendor. No workarounds are documented in the available references. [1][2]

References
  1. Cybozu Garoon fails to restrict access permissions
  2. JVNDB-2016-000082 - JVN iPedia

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

26
  • Cybozu/Garoon26 versions
    cpe:2.3:a:cybozu:garoon:3.0.0:*:*:*:*:*:*:*+ 25 more
    • cpe:2.3:a:cybozu:garoon:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:3.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cybozu:garoon:4.2.0:*:*:*:*:*:*:*
    • (no CPE)range: <4.2.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.