CVE-2017-2146
Description
Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.4 allows remote attackers to inject arbitrary web script or HTML via application menu.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Cybozu Garoon versions 3.0.0 to 4.2.4 allows an attacker with high privileges to inject arbitrary web script or HTML via the application menu.
Vulnerability
Cybozu Garoon versions 3.0.0 to 4.2.4 contain a cross-site scripting (XSS) vulnerability in the application menu. The bug resides in insufficient sanitization of user-supplied input, which allows an authenticated attacker with high privileges to inject arbitrary web script or HTML. The vulnerable code path is triggered when a privileged user creates or customizes an application menu entry, and the crafted input is then rendered when other users view the menu. [1]
Exploitation
An attacker must have a high-privileged account (e.g., administrator role) in the Cybozu Garoon instance. The attacker crafts a malicious application menu entry containing JavaScript or HTML payload. When a logged-in user (including the attacker themselves) navigates to the affected menu, the injected script executes in the context of the victim's browser session. The attack requires no additional network access beyond being authenticated to the application, but does require the victim user to interact with the menu item. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser. This can lead to session token theft, forced actions (such as modifying or locking other users' files), or exfiltration of sensitive data displayed in the Garoon interface. The attacker gains the ability to perform actions with the victim's privileges, potentially escalating their access within the application. [1]
Mitigation
Cybozu has released a fixed version; users should update Cybozu Garoon to the latest version provided by the vendor. No workarounds or patches are listed in the JPCERT/CC advisory for this specific CVE. [1]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
31cpe:2.3:a:cybozu:garoon:3.0.0:*:*:*:*:*:*:*+ 29 more
- cpe:2.3:a:cybozu:garoon:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.7:sp1:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.7:sp2:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:3.7:sp3:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:cybozu:garoon:4.2.4:*:*:*:*:*:*:*
- (no CPE)range: 3.0.0 - 4.2.4
- Cybozu, Inc./Cybozu Garoonv5Range: 3.0.0 to 4.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- jvn.jp/en/jp/JVN43534286/index.htmlnvdThird Party Advisory
- support.cybozu.com/ja-jp/article/9702nvdVendor Advisory
News mentions
0No linked articles in our index yet.