Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.
AnalysisAI
Stored XSS in Alinto SOGo's ICS calendar invitation viewer enables a remote unauthenticated attacker to execute arbitrary JavaScript within an authenticated victim's SOGo webmail session. Affected versions span all releases prior to 5.12.8; the root cause is an incomplete blocklist sanitizer in NSString+Utilities.m that explicitly blocked only 'onload' and 'onmouseover' event handlers, leaving the SVG animation event 'onrepeat' unfiltered when SVG content appears in an ICS DESCRIPTION field. No public exploit has been identified at time of analysis and CISA SSVC confirms no active exploitation, but the CVSS Scope:Changed rating reflects that successful execution grants the attacker full access to the victim's authenticated session context, enabling mailbox access, contact theft, and session hijacking.
Technical ContextAI
Alinto SOGo is an open-source Objective-C groupware server and webmail client. The affected code path is the ICS viewer component UIxMailPartICalViewer.m, which renders iCalendar (.ics) invitation content - including the DESCRIPTION field - inside the SOGo webmail interface. Prior to 5.12.8, the sanitization method stringWithoutHTMLInjection in SoObjects/SOGo/NSString+Utilities.m used a piecemeal blocklist strategy: it applied individual NSRegularExpression replacements to mangle specific event handlers ('onload=' → 'onl*=', 'onmouseover=' → 'onmouseo*='). The SVG animation event handler 'onrepeat', which fires each time an SVG SMIL animation loop repeats, was never added to this blocklist, making it a trivially exploitable bypass. Because SVG is an XML-based format that browsers render inline, an attacker can embed a construct such as '<animate onrepeat="malicious_js" ...>' in the DESCRIPTION field of an ICS file and have it execute in the victim's browser when the invite is rendered. The CPE string cpe:2.3:a:alinto_sogo:sogo:*:*:*:*:*:*:*:* indicates all SOGo versions are in scope up to the fix. The 5.12.8 patch replaces the per-handler blocklist with a comprehensive catch-all regex (on\w+)\s*=\s*(["'][^"']*["']|[^\s>]+) that strips any on* attribute event handler, and separately applies sanitization to the rendered content field in the ICalViewer renderer. CWE is listed as N/A in the provided data, but the code evidence maps this unambiguously to improper neutralization of input during web page generation (classic stored/reflected XSS via blocklist bypass).
RemediationAI
Vendor-released patch: SOGo 5.12.8. Administrators should upgrade to SOGo 5.12.8, available at the GitHub release tag https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8 and documented in the vendor announcement at https://www.sogo.nu/news/2026/sogo-v5128-released.html. The fix commit https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e86 replaces the piecemeal event-handler blocklist with a comprehensive regex stripping all on* attribute handlers. If an immediate upgrade is not feasible, a compensating control is to configure the mail gateway or spam filter to block or quarantine inbound messages containing ICS attachments from external or untrusted senders; this prevents the malicious payload from reaching the SOGo calendar viewer but will also block all legitimate external calendar invitations, which may be disruptive in collaborative environments. There is no known in-product configuration switch to disable SVG rendering in ICS descriptions without patching.
Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Rated high severity (CVSS 8.8), this vulnerability
Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.
alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. Rated medium severity (CVSS
Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive in
SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receiv
SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their pa
SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queri
Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number o
SOGo before version 5.12.5 contains a cross-site scripting (XSS) vulnerability affecting the events, tasks, and contacts
Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to i
Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3
Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via t
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30134
GHSA-5wp7-63mq-392x