CVE-2022-4556

EUVD-2022-51891

16.12.2022, 17:15

A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is efac49ae91a4a325df9931e78e543f707a0f8e5e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215960.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.5 LOW	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
VulDB	CNA	3.5 LOW	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Affected Products (NVD)

Vendor	Product	Version
alinto	sogo	𝑥 < 5.8.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

sogo

bookworm	5.8.0-1 fixed
bullseye	no-dsa
bullseye (security)	vulnerable
buster	no-dsa
sid	5.11.2-1 fixed
trixie	5.11.2-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

sogo

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	not-affected
mantic	not-affected
noble	dne
trusty	ignored
xenial	needs-triage

Common Weakness Enumeration

CWE-707 - Improper Neutralization
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

References

https://github.com/Alinto/sogo/commit/efac49ae91a4a325df9931e78e543f707a0f8e5e

https://github.com/Alinto/sogo/releases/tag/SOGo-5.8.0

https://vuldb.com/?id.215960

https://github.com/Alinto/sogo/commit/efac49ae91a4a325df9931e78e543f707a0f8e5e

https://github.com/Alinto/sogo/releases/tag/SOGo-5.8.0

https://vuldb.com/?id.215960