2018-04-26
ALT-BU-2018-3219-3
Branch sisyphus update bulletin.
Closed vulnerabilities
Published: 2017-09-20
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2015-5395
Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- http://www.openwall.com/lists/oss-security/2015/07/10/9
- https://github.com/inverse-inc/sogo/commit/582baf2960969c73f98643e46cfb49432c30b711
- https://lists.debian.org/debian-lts/2016/05/msg00197.html
- https://security-tracker.debian.org/tracker/CVE-2015-5395/
- https://sogo.nu/bugs/view.php?id=3246
- http://www.openwall.com/lists/oss-security/2015/07/10/9
- https://github.com/inverse-inc/sogo/commit/582baf2960969c73f98643e46cfb49432c30b711
- https://lists.debian.org/debian-lts/2016/05/msg00197.html
- https://security-tracker.debian.org/tracker/CVE-2015-5395/
- https://sogo.nu/bugs/view.php?id=3246
Published: 2017-02-17
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-6189
Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.
Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References:
- http://www.openwall.com/lists/oss-security/2016/07/09/3
- https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
- https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
- https://sogo.nu/bugs/view.php?id=3695
- http://www.openwall.com/lists/oss-security/2016/07/09/3
- https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
- https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
- https://sogo.nu/bugs/view.php?id=3695
Published: 2017-02-17
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2016-6191
Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: MEDIUM (6.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
- http://www.openwall.com/lists/oss-security/2016/07/09/3
- https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa
- https://sogo.nu/bugs/view.php?id=3718
- http://www.openwall.com/lists/oss-security/2016/07/09/3
- https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa
- https://sogo.nu/bugs/view.php?id=3718
Closed bugs
sogo2 vs sogo3
У пакета URL на страницу, требующую логин
Не верно отображаются папки верхнего уровня на русском через ActiveSync
Проблема с полем выбора получателей в SOGo