Sogo
Sign in to watchby Alinto
Source repositories
CVEs (11)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-5395 | Hig | 0.57 | 8.8 | 0.00 | Sep 20, 2017 | Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. | |
| CVE-2026-46446 | Hig | 0.46 | 7.1 | 0.00 | May 14, 2026 | SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin. | |
| CVE-2026-46445 | Hig | 0.46 | 7.1 | 0.00 | May 14, 2026 | SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection. | |
| CVE-2026-8496 | Med | 0.40 | 6.1 | 0.00 | May 13, 2026 | A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user. | |
| CVE-2014-9905 | Med | 0.40 | 6.1 | 0.01 | Feb 17, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields. | |
| CVE-2026-3054 | Med | 0.28 | 4.3 | 0.00 | Feb 24, 2026 | A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2026-33550 | 0.00 | — | 0.00 | Mar 22, 2026 | SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended). | ||
| CVE-2025-71276 | 0.00 | — | 0.00 | Mar 22, 2026 | SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories. | ||
| CVE-2025-63499 | 0.00 | — | 0.00 | Dec 4, 2025 | Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter. | ||
| CVE-2022-4558 | 0.00 | — | 0.00 | Dec 16, 2022 | A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is 1e0f5f00890f751e84d67be4f139dd7f00faa5f3. It is recommended to upgrade the affected component. The identifier VDB-215961 was assigned to this vulnerability. | ||
| CVE-2022-4556 | 0.00 | — | 0.00 | Dec 16, 2022 | A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is efac49ae91a4a325df9931e78e543f707a0f8e5e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215960. |