[Pkg-sogo-maintainers] Bug#1110604: sogo: CVE-2025-50340
Salvatore Bonaccorso
carnil at debian.org
Sat Aug 9 10:40:28 BST 2025
Source: sogo
Version: 5.12.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi Jordi,
The following vulnerability was published for sogo.
CVE-2025-50340[0]:
| An Insecure Direct Object Reference (IDOR) vulnerability was
| discovered in SOGo Webmail thru 5.6.0, allowing an authenticated
| user to send emails on behalf of other users by manipulating a user-
| controlled identifier in the email-sending request. The server fails
| to verify whether the authenticated user is authorized to use the
| specified sender identity, resulting in unauthorized message
| delivery as another user. This can lead to impersonation, phishing,
| or unauthorized communication within the system.
it is unclear if this is something which can be tackled in SoGo, and
if there is a fixed version upstream. That the CVE description
mentions only versions up to 5.6.0 is unfortunately no clear
indication, and neither the 5.7.0 release notes seem to have something
in that direcion.
Can you thus please investigate (keep team at s.d.o in loop please)?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-50340
https://www.cve.org/CVERecord?id=CVE-2025-50340
[1] https://github.com/millad7/SOGo_web_mail-vulnerability-CVE-2025-50340
Regards,
Salvatore
More information about the Pkg-sogo-maintainers
mailing list