EUVD-2025-208920
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4Tags
Description
SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.
Analysis
SOGo before version 5.12.5 contains a cross-site scripting (XSS) vulnerability affecting the events, tasks, and contacts categories that allows authenticated attackers to inject malicious scripts. An attacker with valid SOGo credentials can craft malicious input in these modules that will execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. No public exploit code or active exploitation has been documented in known exploit databases, but the vulnerability carries a moderate CVSS score of 6.4 reflecting its requirement for prior authentication combined with its ability to affect confidentiality and integrity across security domain boundaries.
Technical Context
The vulnerability exists in the SOGo groupware suite (Alinto SOGo, CPE: cpe:2.3:a:alinto:sogo), which is a collaborative calendaring, messaging, and contact management application written in Objective-C and JavaScript. The XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs in the web interface layers handling events, tasks, and contacts data where user-supplied input is not properly sanitized or encoded before being rendered in HTML responses. This allows an authenticated user to bypass client-side and server-side input validation mechanisms by injecting JavaScript payloads through these three specific categories, which are then executed when other users interact with the affected objects.
Affected Products
SOGo versions prior to 5.12.5 are affected by this vulnerability, as confirmed by the CPE identifier cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:* provided by MITRE. Organizations running SOGo 5.12.4 and earlier releases should plan immediate upgrades. The patched version 5.12.5 contains fixes for the XSS flaws in the events, tasks, and contacts modules as documented in the upstream commit e9b3f2a43d7557e8416f6749df4ab4f9128af2d1 in the Alinto SOGo GitHub repository.
Remediation
Upgrade SOGo to version 5.12.5 or later immediately. The patch is available from Alinto in their GitHub repository (https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1) and should be deployed as the primary remediation. Organizations unable to patch immediately should implement network-level controls including: restricting SOGo access to authenticated corporate networks via VPN or firewall rules, disabling direct internet access to the application, implementing strict Content Security Policy (CSP) headers to prevent inline script execution, and monitoring for suspicious activity in event, task, and contact creation logs. Additionally, educate users to avoid clicking links or viewing untrusted events/tasks/contacts from external sources until patching is complete.
Priority Score
Vendor Status
Debian
Bug #1131605| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.0.1-4+deb11u1 | - |
| bullseye (security) | vulnerable | 5.0.1-4+deb11u3 | - |
| bookworm | vulnerable | 5.8.0-2+deb12u2 | - |
| trixie | vulnerable | 5.12.1-3+deb13u1 | - |
| forky, sid | vulnerable | 5.12.4-1.2 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today