Hi Salvatore,
On 2026-03-15 16:20:57, Salvatore Bonaccorso wrote:
CVE-2026-3054[0]:
| A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This
| impacts an unknown function. The manipulation of the argument hint
| leads to cross site scripting. The attack can be initiated remotely.
| The exploit is publicly available and might be used. The vendor was
| contacted early about this disclosure but did not respond in any
| way.
The current information looks that sogo upstream was contacted but did
not reacted or commented on the issue? Can you try to check what is
their take on that report?
I was able to reproduce the issue for sogo 5.12.1-3+deb13u1 following
the description on [0]. After applying the patch in [1] I could not
reproduce the issue anymore. So it seems that [1] fixes this vulnerability.
Best regards
Peter
[0] https://vuldb.com/?submit.757609
[1]
https://github.com/Alinto/sogo/commit/e821b20f87d1a9757f1d0aff7d1e31703f97054b
