Skip to main content

Ubuntu EUVDEUVD-2025-201283

| CVE-2025-63499 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-04 cve@mitre.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Ubuntu
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 16:35 euvd
EUVD-2025-201283
Analysis Generated
Mar 15, 2026 - 16:35 vuln.today
PoC Detected
Dec 18, 2025 - 20:24 vuln.today
Public exploit code
CVE Published
Dec 04, 2025 - 20:16 nvd
MEDIUM 6.1

DescriptionCVE.org

Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.

Analysis

Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

More in Sogo

View all
CVE-2015-5395 HIGH POC
8.8 Sep 20

Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Rated high severity (CVSS 8.8), this vulnerability

CVE-2025-63498 MEDIUM POC
6.1 Nov 24

alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. Rated medium severity (CVSS

CVE-2016-6189 MEDIUM POC
4.3 Feb 17

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive in

CVE-2021-33054 HIGH
7.5 Jun 04

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receiv

CVE-2026-46446 HIGH
7.1 May 14

SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their pa

CVE-2026-46445 HIGH
7.1 May 14

SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queri

CVE-2016-6188 MEDIUM
6.5 Feb 03

Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number o

CVE-2025-71276 MEDIUM
6.4 Mar 22

SOGo before version 5.12.5 contains a cross-site scripting (XSS) vulnerability affecting the events, tasks, and contacts

CVE-2014-9905 MEDIUM
6.1 Feb 17

Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to i

CVE-2016-6191 MEDIUM
6.1 Feb 17

Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3

CVE-2026-8496 MEDIUM
6.1 May 13

Stored XSS in Alinto SOGo's ICS calendar invitation viewer enables a remote unauthenticated attacker to execute arbitrar

CVE-2024-24510 MEDIUM
6.1 Sep 09

Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via t

Vendor StatusVendor

Ubuntu

Priority: Medium
sogo
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble DNE -
questing needs-triage -
upstream needs-triage -
plucky ignored end of life, was needs-triage

Debian

Bug #1121952
sogo
Release Status Fixed Version Urgency
bullseye fixed 5.0.1-4+deb11u3 -
bullseye (security) fixed 5.0.1-4+deb11u3 -
bookworm fixed 5.8.0-2+deb12u1 -
trixie fixed 5.12.1-3+deb13u1 -
forky, sid fixed 5.12.4-1.2 -
(unstable) fixed 5.12.4-1.2 -

Share

EUVD-2025-201283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy