[Pkg-sogo-maintainers] Bug#1110604: sogo: CVE-2025-50340

[Salvatore Bonaccorso]

Hi,

On Fri, Aug 15, 2025 at 06:56:40AM +0000, Moritz Mühlenhoff wrote:
> On Thu, Aug 14, 2025 at 08:57:43PM +0200, Peter Wienemann wrote:
> > Hi,
> > 
> > On 2025-08-09 11:40:28, Salvatore Bonaccorso wrote:
> > > Hi Jordi,
> > > 
> > > The following vulnerability was published for sogo.
> > > 
> > > CVE-2025-50340[0]:
> > > | An Insecure Direct Object Reference (IDOR) vulnerability was
> > > | discovered in SOGo Webmail thru 5.6.0, allowing an authenticated
> > > | user to send emails on behalf of other users by manipulating a user-
> > > | controlled identifier in the email-sending request. The server fails
> > > | to verify whether the authenticated user is authorized to use the
> > > | specified sender identity, resulting in unauthorized message
> > > | delivery as another user. This can lead to impersonation, phishing,
> > > | or unauthorized communication within the system.
> > > 
> > > it is unclear if this is something which can be tackled in SoGo, and
> > > if there is a fixed version upstream. That the CVE description
> > > mentions only versions up to 5.6.0 is unfortunately no clear
> > > indication, and neither the 5.7.0 release notes seem to have something
> > > in that direcion.
> > > 
> > > Can you thus please investigate (keep team at s.d.o in loop please)?
> > 
> > today one of the upstream developers made a statement on CVE-2025-50340:
> > 
> > https://www.mail-archive.com/users%40sogo.nu/msg34098.html
> 
> Thanks! We've marked it as a non issue in the Debian Security tracker and
> let's also close this bug.

FWIW, asked the assigning CNA if the CVE could be rejected, no updae
so far in that regard, but the CVE is at least marked disputed by now
with "this is disputed by the Supplier because the only effective way
to prevent this sender spoofing is on the SMTP server, not within a
client such as SOGo."

Regards,
Salvatore