CVE-2016-6189

MEDIUM

SOGo <3.1.1 - Info Disclosure

Title source: llm

Description

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

References (4)

[Mailing List, VDB Entry] http://www.openwall.com/lists/oss-security/2016/07/09/3

[Patch] https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225

[Patch] https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d

[Exploit, Vendor Advisory] https://sogo.nu/bugs/view.php?id=3695

Scores

CVSS v3 4.3

EPSS 0.0017

EPSS Percentile 38.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-184

Status draft

Affected Products (1)

alinto/sogo < 2.3.12

Timeline

Published Feb 17, 2017

Tracked Since Feb 18, 2026