Hivert Quentin

6 exploits Active since Jan 2024
CVE-2026-8496 WRITEUP MEDIUM WRITEUP
A cross-site scripting (XSS) vulnerability in Alinto SOGo, version 5.12.7
A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.
CVSS 6.1
CVE-2023-48104 WRITEUP MEDIUM WRITEUP
Alinto SOGo < 5.9.1 - HTML Injection
Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.
CVSS 6.1
CVE-2025-63498 WRITEUP MEDIUM WRITEUP
alinto SOGo 5.12.3 - Cross-Site Scripting via userName Parameter
alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter.
CVSS 6.1
CVE-2025-71276 WRITEUP MEDIUM WRITEUP
SOGo < 5.12.5 - Stored Cross-Site Scripting in Events, Tasks, and Contacts Categories
SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.
CVSS 6.4
CVE-2026-33550 WRITEUP LOW WRITEUP
SOGo < 5.12.5 - Weak One-Time Password Implementation
SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).
CVSS 2.0
CVE-2024-34462 WRITEUP MEDIUM WRITEUP
Alinto SOGo < 5.11.0 - Cross-Site Scripting in Attachment Preview
Alinto SOGo through 5.10.0 allows XSS during attachment preview.
CVSS 6.1