Sogo Webmail
Monthly
SQL injection in SOGo 5.12.7 (Alinto's open-source groupware/webmail platform) allows authenticated users to exfiltrate arbitrary database contents by injecting subqueries through the uid parameter of the addUserInAcls endpoint, then reading the staged data back via the /acls API. The flaw, reported by VulnCheck (with credit to dninh of SACOMBANK), is fixed in 5.12.8; no public exploit identified at time of analysis and the CVE is not on CISA KEV.
SQL injection in SOGo 5.12.7 (Alinto's open-source groupware/webmail platform) allows authenticated users to exfiltrate arbitrary database contents by injecting subqueries through the uid parameter of the addUserInAcls endpoint, then reading the staged data back via the /acls API. The flaw, reported by VulnCheck (with credit to dninh of SACOMBANK), is fixed in 5.12.8; no public exploit identified at time of analysis and the CVE is not on CISA KEV.