[Pkg-sogo-maintainers] Bug#1130878: sogo: CVE-2026-3054
Jordi Mallach
jordi at debian.org
Sun Mar 15 19:20:59 GMT 2026
Hi!
El dg. 15 de 03 de 2026 a les 20:15 +0100, en/na Peter Wienemann va
escriure:
> Hi Salvatore,
>
> On 2026-03-15 16:20:57, Salvatore Bonaccorso wrote:
> > CVE-2026-3054[0]:
> > > A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This
> > > impacts an unknown function. The manipulation of the argument
> > > hint
> > > leads to cross site scripting. The attack can be initiated
> > > remotely.
> > > The exploit is publicly available and might be used. The vendor
> > > was
> > > contacted early about this disclosure but did not respond in any
> > > way.
> >
> > The current information looks that sogo upstream was contacted but
> > did
> > not reacted or commented on the issue? Can you try to check what is
> > their take on that report?
>
> I was able to reproduce the issue for sogo 5.12.1-3+deb13u1 following
> the description on [0]. After applying the patch in [1] I could not
> reproduce the issue anymore. So it seems that [1] fixes this
> vulnerability.
Thanks!
I am preparing packages for 5.12.5 hopefully tonight, I'll tag the
changelog with the apropriate CVE numbers.
Jordi
--
Jordi Mallach <jordi at debian.org>
Debian Project
More information about the Pkg-sogo-maintainers
mailing list