CVE-2016-6189 - Vulnerability Details - OpenCVE

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00173.

Key SSVC decision points have not yet been added.

Vendors	Products
Alinto	Sogo

Configuration 1 [-]

OR	cpe:2.3:a:alinto:sogo::::::::
	cpe:2.3:a:alinto:sogo::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2016-7122	Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2016/07/09/3
https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
https://sogo.nu/bugs/view.php?id=3695

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-02-17T17:00:00

Updated: 2024-08-06T01:22:20.752Z

Reserved: 2016-07-09T00:00:00

Link: CVE-2016-6189

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-02-17T17:59:00.797

Modified: 2025-04-20T01:37:25.860

Link: CVE-2016-6189

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-07-04T00:00:00", "descriptions": [{"lang": "en", "value": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-17T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"name": "[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://sogo.nu/bugs/view.php?id=3695"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-6189", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d", "refsource": "CONFIRM", "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"name": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225", "refsource": "CONFIRM", "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"name": "[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"name": "https://sogo.nu/bugs/view.php?id=3695", "refsource": "CONFIRM", "url": "https://sogo.nu/bugs/view.php?id=3695"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:22:20.752Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"name": "[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://sogo.nu/bugs/view.php?id=3695"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-6189", "datePublished": "2017-02-17T17:00:00", "dateReserved": "2016-07-09T00:00:00", "dateUpdated": "2024-08-06T01:22:20.752Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D75E49A-4A29-46E4-82AF-2AF4CA019014", "versionEndExcluding": "2.3.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C9075E1-13A1-42BC-8141-8981BD1B3640", "versionEndExcluding": "3.1.1", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}, {"lang": "es", "value": "Blacklist incompleta en SOGo en versiones anteriores a 2.3.12 y 3.x en versiones anteriores a 3.1.1 permite a usuarios remotos autenticados obtener informaci\u00f3n sensible leyendo los campos en la fuente (1) ics o (2) de calendario XML."}], "id": "CVE-2016-6189", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-17T17:59:00.797", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "VDB Entry"], "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://sogo.nu/bugs/view.php?id=3695"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "VDB Entry"], "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://sogo.nu/bugs/view.php?id=3695"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}], "source": "nvd@nist.gov", "type": "Primary"}]}