CVE-2016-6190

MEDIUM

SOGo <2.3.12-3.1.1 - Info Disclosure

Title source: llm

Description

SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users.

References (4)

[Mailing List, VDB Entry] http://www.openwall.com/lists/oss-security/2016/07/09/3

[Patch] https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225

[Patch] https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d

[Vendor Advisory] https://sogo.nu/bugs/view.php?id=3696

Scores

CVSS v3 4.3

EPSS 0.0020

EPSS Percentile 41.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (11)

inverse-inc/sogo < 2.3.11

inverse-inc/sogo

inverse-inc/sogo

inverse-inc/sogo

inverse-inc/sogo

inverse-inc/sogo

inverse-inc/sogo

inverse-inc/sogo

inverse-inc/sogo

inverse-inc/sogo

n/a/n/a

Timeline

Published Feb 17, 2017

Tracked Since Feb 18, 2026