CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48104
https://notcve.org/view.php?id=CVE-2023-48104
Alinto SOGo before 5.9.1 is vulnerable to HTML Injection. Alinto SOGo 5.8.0 es vulnerable a la inyección de HTML. • https://github.com/E1tex/CVE-2023-48104 https://github.com/Alinto/sogo/commit/7481ccf37087c3f456d7e5a844da01d0f8883098 https://habr.com/ru/articles/804863 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4558 – Alinto SOGo Folder/Mail NSString+Utilities.m cross site scripting
https://notcve.org/view.php?id=CVE-2022-4558
A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. • https://github.com/Alinto/sogo/commit/1e0f5f00890f751e84d67be4f139dd7f00faa5f3 https://github.com/Alinto/sogo/releases/tag/SOGo-5.8.0 https://vuldb.com/?id.215961 • CWE-707: Improper Neutralization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4556 – Alinto SOGo Identity SOGoUserDefaults.m _migrateMailIdentities cross site scripting
https://notcve.org/view.php?id=CVE-2022-4556
A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. • https://github.com/Alinto/sogo/commit/efac49ae91a4a325df9931e78e543f707a0f8e5e https://github.com/Alinto/sogo/releases/tag/SOGo-5.8.0 https://vuldb.com/?id.215960 • CWE-707: Improper Neutralization •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-33054
https://notcve.org/view.php?id=CVE-2021-33054
SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.) SOGo versiones 2.x anteriores a 2.4.1 y versiones 3.x hasta 5.x anteriores a 5.1.1, no comprueba las firmas de las aserciones SAML que recibe. Cualquier actor con acceso a la red del despliegue podría suplantar a usuarios cuando SAML es el método de autenticación. • https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html https://www.debian.org/security/2021/dsa-5029 https://www.sogo.nu/news.html • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2015-5395
https://notcve.org/view.php?id=CVE-2015-5395
Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Existe una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en SOGo en versiones anteriores a la 3.1.0. • http://www.openwall.com/lists/oss-security/2015/07/10/9 https://github.com/inverse-inc/sogo/commit/582baf2960969c73f98643e46cfb49432c30b711 https://lists.debian.org/debian-lts/2016/05/msg00197.html https://security-tracker.debian.org/tracker/CVE-2015-5395 https://sogo.nu/bugs/view.php?id=3246 • CWE-352: Cross-Site Request Forgery (CSRF) •