CVE-2013-6003

low

Published 2013-12-05 · Modified 2026-04-29

CVSS v3

—

CVSS v2

3.5

VIR risk

3.5

Description

CRLF injection vulnerability in Cybozu Garoon 3.1 through 3.5 SP5, when Phone Messages forwarding is enabled, allows remote authenticated users to inject arbitrary e-mail headers via unspecified vectors.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — https://support.cybozu.com/ja-jp/article/6121

Application impact

Vendor	Product	Versions	Fixed
cybozu	garoon	`3.1`
cybozu	garoon	`3.5`

References

http://cs.cybozu.co.jp/information/20131202up01.php
http://jvn.jp/en/jp/JVN84221103/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2013-000116
https://support.cybozu.com/ja-jp/article/6121
http://cs.cybozu.co.jp/information/20131202up01.php
http://jvn.jp/en/jp/JVN84221103/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2013-000116
https://support.cybozu.com/ja-jp/article/6121

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.