CVE-2025-63498

MEDIUM

alinto SOGo 5.12.3 - Cross-Site Scripting via userName Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-63498. PoCs published by xryptoh.

AI-analyzed exploit summary This repository documents a stored XSS vulnerability in Alinto/SOGo versions < 5.12.4, where the 'Remember Username' feature allows JavaScript injection via the 'userName' parameter in a POST request to /SOGo/connect. The payload is stored in the SOGoLogin cookie and executed when the user revisits the authentication page.

Description

alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter.

Exploits (1)

nomisec WRITEUP 1 stars
by xryptoh · poc
https://github.com/xryptoh/CVE-2025-63498

This repository documents a stored XSS vulnerability in Alinto/SOGo versions < 5.12.4, where the 'Remember Username' feature allows JavaScript injection via the 'userName' parameter in a POST request to /SOGo/connect. The payload is stored in the SOGoLogin cookie and executed when the user revisits the authentication page.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Alinto/SOGo < 5.12.4
No auth needed
Prerequisites: 'Remember Username' feature enabled · User interaction required to revisit the authentication page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 6.1
EPSS 0.0024
EPSS Percentile 14.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
alinto/sogo 5.12.3
debian/debian_linux 11.0
Published Nov 24, 2025
Tracked Since Feb 18, 2026