Hi, On 2025-08-09 11:40:28, Salvatore Bonaccorso wrote:
Hi Jordi,The following vulnerability was published for sogo. CVE-2025-50340[0]: | An Insecure Direct Object Reference (IDOR) vulnerability was | discovered in SOGo Webmail thru 5.6.0, allowing an authenticated | user to send emails on behalf of other users by manipulating a user- | controlled identifier in the email-sending request. The server fails | to verify whether the authenticated user is authorized to use the | specified sender identity, resulting in unauthorized message | delivery as another user. This can lead to impersonation, phishing, | or unauthorized communication within the system. it is unclear if this is something which can be tackled in SoGo, and if there is a fixed version upstream. That the CVE description mentions only versions up to 5.6.0 is unfortunately no clear indication, and neither the 5.7.0 release notes seem to have something in that direcion. Can you thus please investigate (keep [email protected] in loop please)?
today one of the upstream developers made a statement on CVE-2025-50340: https://www.mail-archive.com/users%40sogo.nu/msg34098.html Best regards Peter
OpenPGP_0x5D5F6C020398A60A.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
