CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48104
https://notcve.org/view.php?id=CVE-2023-48104
Alinto SOGo before 5.9.1 is vulnerable to HTML Injection. Alinto SOGo 5.8.0 es vulnerable a la inyección de HTML. • https://github.com/E1tex/CVE-2023-48104 https://github.com/Alinto/sogo/commit/7481ccf37087c3f456d7e5a844da01d0f8883098 https://habr.com/ru/articles/804863 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4558 – Alinto SOGo Folder/Mail NSString+Utilities.m cross site scripting
https://notcve.org/view.php?id=CVE-2022-4558
A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. • https://github.com/Alinto/sogo/commit/1e0f5f00890f751e84d67be4f139dd7f00faa5f3 https://github.com/Alinto/sogo/releases/tag/SOGo-5.8.0 https://vuldb.com/?id.215961 • CWE-707: Improper Neutralization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4556 – Alinto SOGo Identity SOGoUserDefaults.m _migrateMailIdentities cross site scripting
https://notcve.org/view.php?id=CVE-2022-4556
A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. • https://github.com/Alinto/sogo/commit/efac49ae91a4a325df9931e78e543f707a0f8e5e https://github.com/Alinto/sogo/releases/tag/SOGo-5.8.0 https://vuldb.com/?id.215960 • CWE-707: Improper Neutralization •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-33054
https://notcve.org/view.php?id=CVE-2021-33054
SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.) SOGo versiones 2.x anteriores a 2.4.1 y versiones 3.x hasta 5.x anteriores a 5.1.1, no comprueba las firmas de las aserciones SAML que recibe. Cualquier actor con acceso a la red del despliegue podría suplantar a usuarios cuando SAML es el método de autenticación. • https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html https://www.debian.org/security/2021/dsa-5029 https://www.sogo.nu/news.html • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2016-6189
https://notcve.org/view.php?id=CVE-2016-6189
Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. Blacklist incompleta en SOGo en versiones anteriores a 2.3.12 y 3.x en versiones anteriores a 3.1.1 permite a usuarios remotos autenticados obtener información sensible leyendo los campos en la fuente (1) ics o (2) de calendario XML. • http://www.openwall.com/lists/oss-security/2016/07/09/3 https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d https://sogo.nu/bugs/view.php?id=3695 • CWE-184: Incomplete List of Disallowed Inputs •