These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A SQL injection vulnerability in SOGo versions 5.12.7 and prior allows authenticated attackers to extract arbitrary database data through the Access Control List management functionality. The vulnerability resides in the `addUserInAcls` endpoint where the `uid` parameter fails to properly sanitize user input, enabling SQL subquery injection. Attackers can leverage this to write extracted data into the `so [truncated]
CVE-2016-6191 describes multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page of the SOGo Web Calendar. In affected versions before 3.1.3, attacker-controlled content in the Description, Location, URL, or Title fields could be rendered as arbitrary web script or HTML. The NVD record classifies the issue as medium severity and maps it to CWE-79.
CVE-2016-6189 is an authenticated information disclosure issue in SOGo. An incomplete blacklist in the calendar feed handling could let a remote authenticated user read sensitive fields from ICS or XML calendar feeds. NVD rates the issue as medium severity (CVSS 4.3).
CVE-2014-9905 is a cross-site scripting issue in SOGo Web Calendar. According to the CVE description, attackers could inject arbitrary web script or HTML through appointment titles or contact fields in versions before 2.2.0. NVD classifies the issue as CVSS 3.1 6.1 (medium) with network reachability, low attack complexity, no privileges required, user interaction required, and a changed scope.
CVE-2016-6188 is a memory-consumption denial-of-service issue affecting SOGo 2.3.7. According to the CVE description and NVD data, repeated attempts to upload a large attachment can leak memory or accumulate temporary-file-related resources, eventually degrading service availability. NVD rates the issue as network exploitable with low attack complexity, requiring low privileges and no user interaction, an [truncated]