MidnightBSD

Advisories for alinto

CVE-2014-9905 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
alinto sogo *
CVE-2015-5395 MEDIUM

Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
debian debian_linux 7.0
alinto sogo *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2016-6188 MEDIUM

Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
alinto sogo 2.3.7
CVE-2016-6189 MEDIUM

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-184,

Products Affected

Vendor Product Version
alinto sogo *
CVE-2016-6191 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
alinto sogo *
CVE-2020-22402

Cross Site Scripting (XSS) vulnerability in SOGo Web Mail before 4.3.1 allows attackers to obtain user sensitive information when a user reads an email containing malicious code.

Products Affected

Vendor Product Version
alinto sogo_web_mail *
CVE-2022-4556

A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is efac49ae91a4a325df9931e78e543f707a0f8e5e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215960.

Products Affected

Vendor Product Version
alinto sogo *
CVE-2022-4558

A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is 1e0f5f00890f751e84d67be4f139dd7f00faa5f3. It is recommended to upgrade the affected component. The identifier VDB-215961 was assigned to this vulnerability.

Products Affected

Vendor Product Version
alinto sogo *
CVE-2023-48104

Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
alinto sogo *
CVE-2024-24510

Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component.

Products Affected

Vendor Product Version
alinto sogo *
CVE-2024-34462

Alinto SOGo through 5.10.0 allows XSS during attachment preview.

Products Affected

Vendor Product Version
alinto sogo *
CVE-2025-63498

alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
debian debian_linux 11.0
alinto sogo 5.12.3
CVE-2025-63499

Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.

Products Affected

Vendor Product Version
alinto sogo *
CVE-2025-71276

SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
alinto sogo *
CVE-2026-3054 MEDIUM

A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-94,

Products Affected

Vendor Product Version
alinto sogo 5.12.4
alinto sogo 5.12.3
CVE-2026-33550

SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 2.0 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 0.5 1.4

Products Affected

Vendor Product Version
alinto sogo *