Alinto Sogo vulnerabilities

CVE-2025-71276 [MEDIUM] CWE-79 CVE-2025-71276: SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories. SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.

CVE-2026-33550 [LOW] CWE-308 CVE-2026-33550: SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

CVE-2026-3054 [MEDIUM] CWE-79 CVE-2026-3054: A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The m A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-63499 [MEDIUM] CWE-79 CVE-2025-63499: Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter. Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.

CVE-2025-63498 [MEDIUM] CWE-79 CVE-2025-63498: alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter.

CVE-2024-24510 [MEDIUM] CWE-79 CVE-2024-24510: Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component.

CVE-2024-34462 [MEDIUM] CWE-79 CVE-2024-34462: Alinto SOGo through 5.10.0 allows XSS during attachment preview. Alinto SOGo through 5.10.0 allows XSS during attachment preview.

CVE-2023-48104 [MEDIUM] CWE-79 CVE-2023-48104: Alinto SOGo before 5.9.1 is vulnerable to HTML Injection. Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.

CVE-2020-22402 [MEDIUM] CVE-2020-22402: Cross Site Scripting (XSS) vulnerability in SOGo Web Mail before 4 Cross Site Scripting (XSS) vulnerability in SOGo Web Mail before 4.3.1 allows attackers to obtain user sensitive information when a user reads an email containing malicious code.

CVE-2022-4556 [MEDIUM] CWE-707 CVE-2022-4556: A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to ver

CVE-2022-4558 [MEDIUM] CWE-707 CVE-2022-4558: A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This af A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 5.8.0 is able to address thi

CVE-2021-33054 [HIGH] CVE-2021-33054: SOGo 2 SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

CVE-2015-5395 [HIGH] CWE-352 CVE-2015-5395: Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.

CVE-2016-6191 [MEDIUM] CWE-79 CVE-2016-6191: Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field.

CVE-2016-6189 [MEDIUM] CWE-184 CVE-2016-6189: Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

CVE-2014-9905 [MEDIUM] CWE-79 CVE-2014-9905: Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow r Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields.

CVE-2016-6190 [MEDIUM] CVE-2016-6190: SOGo before 2 SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users.

CVE-2016-6188 [MEDIUM] CWE-399 CVE-2016-6188: Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files.