Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: sogo

Found 6 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-8496
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 16 hours ago
  • @LeSuisse accepted 4 hours ago
  • @LeSuisse published on GitHub 4 hours ago
A cross-site scripting (XSS) vulnerability in Alinto SOGo, version 5.12.7

A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.

Affected products

SOGo
  • <5.12.8

Matching in nixpkgs

pkgs.sogo

Very fast and scalable modern collaboration suite (groupware)

Package maintainers

Published
Permalink CVE-2026-46446
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 16 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and …

SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin.

Affected products

SOGo
  • <5.12.7

Matching in nixpkgs

pkgs.sogo

Very fast and scalable modern collaboration suite (groupware)

Package maintainers

Published
Permalink CVE-2026-46445
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 5 hours ago by @LeSuisse Activity log
  • Created suggestion 16 hours ago
  • @LeSuisse accepted 5 hours ago
  • @LeSuisse published on GitHub 5 hours ago
SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.

SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.

Affected products

SOGo
  • <5.12.7

Matching in nixpkgs

pkgs.sogo

Very fast and scalable modern collaboration suite (groupware)

Package maintainers

Published
Permalink CVE-2026-33550
2.0 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago
SOGo before 5.12.5 does not renew the OTP if a …

SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

Affected products

SOGo
  • <5.12.5

Matching in nixpkgs

pkgs.sogo

Very fast and scalable modern collaboration suite (groupware)

Package maintainers

Upstream patch: https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2
Published
Permalink CVE-2025-71276
6.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago
SOGo before 5.12.5 is prone to a XSS vulnerability with …

SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.

Affected products

SOGo
  • <5.12.5

Matching in nixpkgs

pkgs.sogo

Very fast and scalable modern collaboration suite (groupware)

Package maintainers

Upstream patch: https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1
Untriaged
Permalink CVE-2026-3054
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Not Defined (X)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 months, 2 weeks ago Activity log
  • Created suggestion 2 months, 2 weeks ago
Alinto SOGo cross site scripting

A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected products

SOGo
  • ==5.12.4
  • ==5.12.3

Matching in nixpkgs

pkgs.sogo

Very fast and scalable modern collaboration suite (groupware)

Package maintainers