CVE-2016-6191 Alinto CVE debrief

Who should care

Administrators and security teams running SOGo Web Calendar should pay attention, especially where users can create or view shared calendar entries. Any deployment that still exposes versions before 3.1.3 is in scope.

Technical summary

The vulnerability is an output-encoding / sanitization failure in the Web Calendar’s View Raw Source page. User-supplied calendar fields are reflected into HTML in a way that permits script or markup injection. NVD’s CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network reachability, no privileges required, and user interaction needed for exploitation, with low confidentiality and integrity impact.

Defensive priority

Medium. Upgrade priority is high for any exposed SOGo deployment still on a version earlier than 3.1.3, because the issue is reachable remotely and can affect users who open the affected page.

Recommended defensive actions

• Upgrade SOGo to version 3.1.3 or later.
• Verify that the View Raw Source page correctly encodes or sanitizes the Description, Location, URL, and Title fields before rendering.
• Review any custom themes, templates, or integrations that might bypass upstream output handling.
• Add regression tests for XSS in calendar source views and shared-event rendering paths.
• If immediate upgrade is not possible, limit access to the affected Web Calendar functionality until the patch is deployed.

Evidence notes

The CVE record published by NVD lists affected versions through SOGo 3.1.2 and cites CWE-79. The reference set includes an oss-security mailing list post, a SOGo patch commit, and a vendor advisory, all of which support the remediation history for this issue. The supplied corpus also provides the CVSS 3.1 vector and confirms that the vulnerability requires user interaction.

Official resources