Severity by source
AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).
AnalysisAI
SOGo versions prior to 5.12.5 contain two related one-time password (OTP) implementation weaknesses: the OTP is not regenerated when users disable and re-enable two-factor authentication, and the OTP length is only 12 digits instead of the cryptographically recommended 20 digits. While the CVSS score is low (2.0) due to high attack complexity and privileges required, this vulnerability could allow authenticated administrators or high-privilege users with social engineering capability to bypass or weaken OTP protections. No known active exploitation or public proof-of-concept exists, but the issue has been acknowledged and patched by the vendor.
Technical ContextAI
SOGo is an open-source groupware suite (affected via CPE cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*) that provides calendar, contact, and email services with integrated authentication and multi-factor authentication features. The vulnerability relates to CWE-308 (Use of Single-factor Authentication), which occurs when OTP regeneration logic fails to create a new secret when MFA is toggled, and the entropy of the OTP is insufficient (12 digits ≈ 40 bits of entropy vs. 20 digits ≈ 66 bits). This allows both token reuse attacks if the original token is compromised and reduced brute-force resistance due to shorter keyspace.
RemediationAI
Upgrade SOGo to version 5.12.5 or later to resolve both the OTP regeneration and entropy issues. Organizations unable to immediately patch should implement compensating controls by enforcing strong password policies in addition to OTP authentication, disabling MFA toggle functionality for non-administrative users, and logging all MFA configuration changes for audit purposes. Additionally, restrict administrative access to trusted networks and enable alerting for any MFA modifications. The vendor advisory and patch are available at https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.5.
Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Rated high severity (CVSS 8.8), this vulnerability
Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.
alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. Rated medium severity (CVSS
Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive in
SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receiv
SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their pa
SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queri
Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number o
SOGo before version 5.12.5 contains a cross-site scripting (XSS) vulnerability affecting the events, tasks, and contacts
Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to i
Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3
Stored XSS in Alinto SOGo's ICS calendar invitation viewer enables a remote unauthenticated attacker to execute arbitrar
Same weakness CWE-308 – Use of Single-factor Authentication
View allSame technique Information Disclosure
View allVendor StatusVendor
Debian
Bug #1131606| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.0.1-4+deb11u1 | - |
| bullseye (security) | vulnerable | 5.0.1-4+deb11u3 | - |
| bookworm | vulnerable | 5.8.0-2+deb12u2 | - |
| trixie | vulnerable | 5.12.1-3+deb13u1 | - |
| forky, sid | vulnerable | 5.12.4-1.2 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14269
GHSA-9x6p-jf26-xmx7