[Pkg-sogo-maintainers] Bug#1110604: sogo: CVE-2025-50340
Peter Wienemann
wiene at debian.org
Thu Aug 14 19:57:43 BST 2025
Hi,
On 2025-08-09 11:40:28, Salvatore Bonaccorso wrote:
> Hi Jordi,
>
> The following vulnerability was published for sogo.
>
> CVE-2025-50340[0]:
> | An Insecure Direct Object Reference (IDOR) vulnerability was
> | discovered in SOGo Webmail thru 5.6.0, allowing an authenticated
> | user to send emails on behalf of other users by manipulating a user-
> | controlled identifier in the email-sending request. The server fails
> | to verify whether the authenticated user is authorized to use the
> | specified sender identity, resulting in unauthorized message
> | delivery as another user. This can lead to impersonation, phishing,
> | or unauthorized communication within the system.
>
> it is unclear if this is something which can be tackled in SoGo, and
> if there is a fixed version upstream. That the CVE description
> mentions only versions up to 5.6.0 is unfortunately no clear
> indication, and neither the 5.7.0 release notes seem to have something
> in that direcion.
>
> Can you thus please investigate (keep team at s.d.o in loop please)?
today one of the upstream developers made a statement on CVE-2025-50340:
https://www.mail-archive.com/users%40sogo.nu/msg34098.html
Best regards
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x5D5F6C020398A60A.asc
Type: application/pgp-keys
Size: 11174 bytes
Desc: OpenPGP public key
URL: <http://alioth-lists.debian.net/pipermail/pkg-sogo-maintainers/attachments/20250814/4eb4092b/attachment.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-sogo-maintainers/attachments/20250814/4eb4092b/attachment.sig>
More information about the Pkg-sogo-maintainers
mailing list