Hi! El dg. 15 de 03 de 2026 a les 20:15 +0100, en/na Peter Wienemann va escriure: > Hi Salvatore, > > On 2026-03-15 16:20:57, Salvatore Bonaccorso wrote: > > CVE-2026-3054[0]: > > > A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This > > > impacts an unknown function. The manipulation of the argument > > > hint > > > leads to cross site scripting. The attack can be initiated > > > remotely. > > > The exploit is publicly available and might be used. The vendor > > > was > > > contacted early about this disclosure but did not respond in any > > > way. > > > > The current information looks that sogo upstream was contacted but > > did > > not reacted or commented on the issue? Can you try to check what is > > their take on that report? > > I was able to reproduce the issue for sogo 5.12.1-3+deb13u1 following > the description on [0]. After applying the patch in [1] I could not > reproduce the issue anymore. So it seems that [1] fixes this > vulnerability.
Thanks! I am preparing packages for 5.12.5 hopefully tonight, I'll tag the changelog with the apropriate CVE numbers. Jordi -- Jordi Mallach <[email protected]> Debian Project
