CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2016-6189
https://notcve.org/view.php?id=CVE-2016-6189
Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. Blacklist incompleta en SOGo en versiones anteriores a 2.3.12 y 3.x en versiones anteriores a 3.1.1 permite a usuarios remotos autenticados obtener información sensible leyendo los campos en la fuente (1) ics o (2) de calendario XML. • http://www.openwall.com/lists/oss-security/2016/07/09/3 https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d https://sogo.nu/bugs/view.php?id=3695 • CWE-184: Incomplete List of Disallowed Inputs •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2016-6190
https://notcve.org/view.php?id=CVE-2016-6190
SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users. SOGo en versiones anteriores a 2.3.12 y 3.x en versiones anteriores a 3.1.1 no restringe el acceso a los atributos UID y DTSTAMP, lo que permite a los usuarios autenticados remotos obtener información confidencial sobre citas con la restricción "Ver la fecha y hora", como se demuestra mediante la correlación UIDs y DTSTAMP entre todos los usuarios. • http://www.openwall.com/lists/oss-security/2016/07/09/3 https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d https://sogo.nu/bugs/view.php?id=3696 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6191
https://notcve.org/view.php?id=CVE-2016-6191
Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field. Múltiples vulnerabilidades de XSS en la página View Raw Source en el Web Calendar en SOGo en versiones anteriores a 3.1.3 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo (1) Description, (2) Location, (3) URL o (4) Title. • http://www.openwall.com/lists/oss-security/2016/07/09/3 https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa https://sogo.nu/bugs/view.php?id=3718 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6188
https://notcve.org/view.php?id=CVE-2016-6188
Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files. Pérdida de memoria en SOGo 2.3.7 permite a atacantes remotos provocar una denegación de servicio (consumo de memoria) a través de un gran número de intentos de cargar un archivo adjunto grande, relacionado con archivos temporales. • http://www.openwall.com/lists/oss-security/2016/07/09/3 http://www.securityfocus.com/bid/96007 https://github.com/inverse-inc/sogo/commit/32bb1456e23a32c7f45079c3985bf732dd0d276d https://sogo.nu/bugs/view.php?id=3510 • CWE-399: Resource Management Errors •