CVE-2022-4556

A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is efac49ae91a4a325df9931e78e543f707a0f8e5e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215960.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
VulDBCNA
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
VendorProductVersion
alintosogo
𝑥
< 5.8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
sogo
bullseye (security)
vulnerable
bullseye
no-dsa
buster
no-dsa
bookworm
5.8.0-1
fixed
sid
5.11.2-1
fixed
trixie
5.11.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
sogo
noble
dne
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
https://github.com/Alinto/sogo/commit/efac49ae91a4a325df9931e78e543f707a0f8e5e
https://github.com/Alinto/sogo/releases/tag/SOGo-5.8.0
https://vuldb.com/?id.215960
https://github.com/Alinto/sogo/commit/efac49ae91a4a325df9931e78e543f707a0f8e5e
https://github.com/Alinto/sogo/releases/tag/SOGo-5.8.0
https://vuldb.com/?id.215960