Hi Peter, On Sun, Mar 15, 2026 at 08:15:52PM +0100, Peter Wienemann wrote: > Hi Salvatore, > > On 2026-03-15 16:20:57, Salvatore Bonaccorso wrote: > > CVE-2026-3054[0]: > > | A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This > > | impacts an unknown function. The manipulation of the argument hint > > | leads to cross site scripting. The attack can be initiated remotely. > > | The exploit is publicly available and might be used. The vendor was > > | contacted early about this disclosure but did not respond in any > > | way. > > > > The current information looks that sogo upstream was contacted but did > > not reacted or commented on the issue? Can you try to check what is > > their take on that report? > > I was able to reproduce the issue for sogo 5.12.1-3+deb13u1 following the > description on [0]. After applying the patch in [1] I could not reproduce > the issue anymore. So it seems that [1] fixes this vulnerability.
Thanks for pinpointing the fix, I have updated the security-tracker data on it. Regards, Salvatore
