4.3

CVE-2016-6189

Exploit
Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AlintoSogo Version < 2.3.12
AlintoSogo Version >= 3.0.0 < 3.1.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.4% 0.69
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

http://www.openwall.com/lists/oss-security/2016/07/09/3
VDB Entry
Mailing List
https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
Patch
https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
Patch
https://sogo.nu/bugs/view.php?id=3695
Vendor Advisory
Exploit