CVE-2015-5646

high

Published 2015-10-12 · Modified 2026-05-06

CVSS v3

—

CVSS v2

8.5

VIR risk

8.5

Description

Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 allows remote authenticated users to execute arbitrary PHP code via unspecified vectors, aka CyVDB-863 and CyVDB-867.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — https://support.cybozu.com/ja-jp/article/8811

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — https://support.cybozu.com/ja-jp/article/8809

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://jvndb.jvn.jp/jvndb/JVNDB-2015-000151

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://jvn.jp/en/jp/JVN21025396/index.html

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://jvn.jp/en/jp/JVN21025396/374951/index.html

Application impact

Vendor	Product	Versions
cybozu	garoon	`3.0.0`
cybozu	garoon	`3.0.1`
cybozu	garoon	`3.0.2`
cybozu	garoon	`3.0.3`
cybozu	garoon	`3.1.0`
cybozu	garoon	`3.1.1`
cybozu	garoon	`3.1.2`
cybozu	garoon	`3.1.3`
cybozu	garoon	`3.5.0`
cybozu	garoon	`3.5.1`
cybozu	garoon	`3.5.2`
cybozu	garoon	`3.5.3`
cybozu	garoon	`3.5.4`
cybozu	garoon	`3.5.5`
cybozu	garoon	`3.7.0`
cybozu	garoon	`3.7.1`
cybozu	garoon	`3.7.2`
cybozu	garoon	`3.7.3`
cybozu	garoon	`3.7.4`
cybozu	garoon	`3.7.5`
cybozu	garoon	`4.0.0`
cybozu	garoon	`4.0.1`
cybozu	garoon	`4.0.2`
cybozu	garoon	`4.0.3`

References

CWEs

CWE-94

Verify integrity in audit chain (admin only). AS-IS.