CVSS: 6.4EPSS: 7%CPEs: 1EXPL: 1CVE-2023-48104
https://notcve.org/view.php?id=CVE-2023-48104
16 Jan 2024 — Alinto SOGo before 5.9.1 is vulnerable to HTML Injection. Alinto SOGo 5.8.0 es vulnerable a la inyección de HTML. • https://github.com/E1tex/CVE-2023-48104 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4556 – Alinto SOGo Identity SOGoUserDefaults.m _migrateMailIdentities cross site scripting
https://notcve.org/view.php?id=CVE-2022-4556
16 Dec 2022 — A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. • https://github.com/Alinto/sogo/commit/efac49ae91a4a325df9931e78e543f707a0f8e5e • CWE-707: Improper Neutralization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4558 – Alinto SOGo Folder/Mail NSString+Utilities.m cross site scripting
https://notcve.org/view.php?id=CVE-2022-4558
16 Dec 2022 — A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. • https://github.com/Alinto/sogo/commit/1e0f5f00890f751e84d67be4f139dd7f00faa5f3 • CWE-707: Improper Neutralization •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-33054 – Debian Security Advisory 5029-1
https://notcve.org/view.php?id=CVE-2021-33054
04 Jun 2021 — SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.) SOGo versiones 2.x anteriores a 2.4.1 y versiones 3.x hasta 5.x anteriores a 5.1.1, no comprueba las firmas de las aserciones SAML que recibe. Cualquier actor con acceso a la red del despliegue podría suplantar a usuarios cuando SAML... • https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2015-5395
https://notcve.org/view.php?id=CVE-2015-5395
20 Sep 2017 — Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Existe una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en SOGo en versiones anteriores a la 3.1.0. • http://www.openwall.com/lists/oss-security/2015/07/10/9 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2016-6189
https://notcve.org/view.php?id=CVE-2016-6189
17 Feb 2017 — Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. Blacklist incompleta en SOGo en versiones anteriores a 2.3.12 y 3.x en versiones anteriores a 3.1.1 permite a usuarios remotos autenticados obtener información sensible leyendo los campos en la fuente (1) ics o (2) de calendario XML. • http://www.openwall.com/lists/oss-security/2016/07/09/3 • CWE-184: Incomplete List of Disallowed Inputs •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2016-6190
https://notcve.org/view.php?id=CVE-2016-6190
17 Feb 2017 — SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users. SOGo en versiones anteriores a 2.3.12 y 3.x en versiones anteriores a 3.1.1 no restringe el acceso a los atributos UID y DTSTAMP, lo que permite a los usuarios autenticados remotos obtener información confide... • http://www.openwall.com/lists/oss-security/2016/07/09/3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6191
https://notcve.org/view.php?id=CVE-2016-6191
17 Feb 2017 — Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field. Múltiples vulnerabilidades de XSS en la página View Raw Source en el Web Calendar en SOGo en versiones anteriores a 3.1.3 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo (1) Description, (2) Location, (3) U... • http://www.openwall.com/lists/oss-security/2016/07/09/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •