Page 2 of 8 results (0.001 seconds)

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. Blacklist incompleta en SOGo en versiones anteriores a 2.3.12 y 3.x en versiones anteriores a 3.1.1 permite a usuarios remotos autenticados obtener información sensible leyendo los campos en la fuente (1) ics o (2) de calendario XML. • http://www.openwall.com/lists/oss-security/2016/07/09/3 https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d https://sogo.nu/bugs/view.php?id=3695 • CWE-184: Incomplete List of Disallowed Inputs •

CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0

SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users. SOGo en versiones anteriores a 2.3.12 y 3.x en versiones anteriores a 3.1.1 no restringe el acceso a los atributos UID y DTSTAMP, lo que permite a los usuarios autenticados remotos obtener información confidencial sobre citas con la restricción "Ver la fecha y hora", como se demuestra mediante la correlación UIDs y DTSTAMP entre todos los usuarios. • http://www.openwall.com/lists/oss-security/2016/07/09/3 https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d https://sogo.nu/bugs/view.php?id=3696 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field. Múltiples vulnerabilidades de XSS en la página View Raw Source en el Web Calendar en SOGo en versiones anteriores a 3.1.3 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo (1) Description, (2) Location, (3) URL o (4) Title. • http://www.openwall.com/lists/oss-security/2016/07/09/3 https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa https://sogo.nu/bugs/view.php?id=3718 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •