CVE-2016-6189 — Incomplete List of Disallowed Inputs in Sogo

CWE-184 — Incomplete List of Disallowed Inputs6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 61.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Alinto Sogo

Timeline

PublishedFeb 17

Latest updateMay 13

Description

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDalinto/sogo3.0.0 — 3.1.1+1

▶Debianalinto/sogo< 3.2.4-0.2+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-px99-x547-mjjw: Incomplete blacklist in SOGo before 2↗2022-05-13

▶

OSV

CVE-2016-6189: Incomplete blacklist in SOGo before 2↗2017-02-17

▶

CVEList

CVE-2016-6189: Incomplete blacklist in SOGo before 2↗2017-02-17

▶

📋Vendor Advisories

Debian

CVE-2016-6189: sogo - Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote au...↗2016

▶

🕵️Threat Intelligence

Fortinet

Analysis of PHP's CVE-2016-6289 and CVE-2016-6297↗2016-08-10

▶