[Pkg-sogo-maintainers] Bug#1130878: sogo: CVE-2026-3054
Peter Wienemann
wiene at debian.org
Sun Mar 15 19:15:52 GMT 2026
Hi Salvatore,
On 2026-03-15 16:20:57, Salvatore Bonaccorso wrote:
> CVE-2026-3054[0]:
> | A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This
> | impacts an unknown function. The manipulation of the argument hint
> | leads to cross site scripting. The attack can be initiated remotely.
> | The exploit is publicly available and might be used. The vendor was
> | contacted early about this disclosure but did not respond in any
> | way.
>
> The current information looks that sogo upstream was contacted but did
> not reacted or commented on the issue? Can you try to check what is
> their take on that report?
I was able to reproduce the issue for sogo 5.12.1-3+deb13u1 following
the description on [0]. After applying the patch in [1] I could not
reproduce the issue anymore. So it seems that [1] fixes this vulnerability.
Best regards
Peter
[0] https://vuldb.com/?submit.757609
[1]
https://github.com/Alinto/sogo/commit/e821b20f87d1a9757f1d0aff7d1e31703f97054b
More information about the Pkg-sogo-maintainers
mailing list