CVE-2006-4444

Cybuzu Garoon 2.1.0 - Multiple SQL Injections

Severity Score

8.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple SQL injection vulnerabilities in Cybozu Garoon 2.1.0 for Windows allow remote authenticated users to execute arbitrary SQL commands via the (1) tid parameter in the (a) todo/view (aka TODO List View), (b) todo/modify (aka TODO List Modify), or (c) todo/delete functionality; the (2) pid parameter in the (d) workflow/view or (e) workflow/print functionality; the (3) uid parameter in the (f) schedule/user_view, (g) phonemessage/add, (h) phonemessage/history, or (i) schedule/view functionality; the (4) cid parameter in (j) todo/index; the (5) iid parameter in the (k) memo/view or (l) memo/print functionality; or the (6) event parameter in the (m) schedule/view functionality.

Múltiples vulnerabilidades de inyección SQL en Cybozu Garoon 2.1.0 para Windows permiten a usuarios remotos autenticados ejecutar comandos SQL de su elección mediante el (1) parámetro tid en la funcionalidad (a) todo/view (también conocido como TODO List View), (b) todo/modify (también conocido como TODO List Modify), o (c) todo/delete; el (2) parámetro pid en la funcionalidad (d) workflow/view o (e) workflow/print; el (3) parámetro uid en la funcionalidad (f) schedule/user_view, (g) phonemessage/add, (h) phonemessage/history, o (i) schedule/view; el (4) parámetro cid en (j) todo/index; el (5) parámetro iid en la funcionalidad (k) memo/view o (l) memo/print; o el (6) parámetro event en la funcionalidad (m) schedule/view.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2006-08-28 First Exploit
2006-08-29 CVE Reserved
2006-08-29 CVE Published
2024-08-07 CVE Updated
2025-04-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (13)

URL	Tag	Source
http://cybozu.co.jp/products/dl/notice_060825	X_refsource_misc
http://vuln.sg/cybozugaroon-en.html	X_refsource_misc
http://www.osvdb.org/28361	Vdb Entry
http://www.osvdb.org/28362	Vdb Entry
http://www.osvdb.org/28363	Vdb Entry
http://www.osvdb.org/28364	Vdb Entry
http://www.osvdb.org/28365	Vdb Entry
http://www.osvdb.org/28366	Vdb Entry
http://www.vupen.com/english/advisories/2006/3399	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/28594	Vdb Entry

URL	Date	SRC
https://www.exploit-db.com/exploits/2267	2006-08-28
http://secunia.com/advisories/21664	2024-08-07
http://www.securityfocus.com/bid/19731	2024-08-07

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cybozu Search vendor "Cybozu"		Garoon Search vendor "Cybozu" for product "Garoon"				2.1.0_for_windows Search vendor "Cybozu" for product "Garoon" and version "2.1.0_for_windows"		-		Affected