CVE-2016-6190 — Sensitive Information Exposure in Sogo

CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 57.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Alinto Sogo Inverse-inc Sogo

Timeline

PublishedFeb 17

Latest updateMay 17

Description

SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶Debianalinto/sogo< 3.2.4-0.2+3

▶NVDinverse-inc/sogo2.3.11+4

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-2xqv-f63h-r6rj: SOGo before 2↗2022-05-17

▶

CVEList

CVE-2016-6190: SOGo before 2↗2017-02-17

▶

OSV

CVE-2016-6190: SOGo before 2↗2017-02-17

▶

💥Exploits & PoCs

Exploit-DB

D-Link DWR-116 / DWR-116A1 - Arbitrary File Download↗2017-04-07

▶

📋Vendor Advisories

Debian

CVE-2016-6190: sogo - SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and ...↗2016

▶