VYPR

SOGo

by SOGo

Source repositories

CVEs (11)

  • CVE-2026-8851HigMay 18, 2026
    risk 0.53cvss 8.1epss 0.00

    SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls…

  • CVE-2015-5395HigSep 20, 2017
    risk 0.50cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.

  • CVE-2021-33054HigJun 4, 2021
    risk 0.49cvss 7.5epss 0.01

    SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

  • CVE-2024-56963MedJan 27, 2025
    risk 0.42cvss 6.5epss 0.00

    An issue in Beijing Sogou Technology Development Co., Ltd Sogou Input iOS 12.2.0 allows attackers to access sensitive user information via supplying a crafted link.

  • CVE-2016-6188MedFeb 3, 2017
    risk 0.42cvss 6.5epss 0.02

    Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files.

  • CVE-2020-22402MedJun 14, 2023
    risk 0.40cvss 6.1epss 0.00

    Cross Site Scripting (XSS) vulnerability in SOGo Web Mail before 4.3.1 allows attackers to obtain user sensitive information when a user reads an email containing malicious code.

  • CVE-2025-50340MedAug 4, 2025
    risk 0.28cvss 4.3epss 0.00

    An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify…

  • CVE-2016-6190MedFeb 17, 2017
    risk 0.28cvss 4.3epss 0.01

    SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and…

  • CVE-2016-6189MedFeb 17, 2017
    risk 0.28cvss 4.3epss 0.01

    Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

  • CVE-2026-33550Mar 22, 2026
    risk 0.00cvss epss 0.00

    SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

  • CVE-2025-71276Mar 22, 2026
    risk 0.00cvss epss 0.00

    SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.