{"id":"USN-8504-1","summary":"sogo vulnerabilities","details":"It was discovered that SOGo did not properly sanitize categories used\nfor events, tasks, and contacts. A remote authenticated attacker could\npossibly use this issue to perform cross-site scripting attacks. This\nissue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04\nLTS, and Ubuntu 26.04 LTS. (CVE-2025-71276)\n\nIt was discovered that SOGo did not properly sanitize the hint query\nparameter. A remote attacker could possibly use this issue to perform\ncross-site scripting attacks. This issue only affected Ubuntu 26.04\nLTS. (CVE-2026-3054)\n\nIt was discovered that SOGo did not renew the one-time password when a\nuser disabled and re-enabled it, and used a shorter length than\nrecommended. A remote attacker could possibly use this issue to bypass\nauthentication. This issue only affected Ubuntu 22.04 LTS and Ubuntu\n26.04 LTS. (CVE-2026-33550)\n\nIt was discovered that SOGo did not properly use the SQL adaptor for\nthe user source, resulting in SQL injection when certain databases\nwere used. A remote authenticated attacker could possibly use this\nissue to obtain sensitive information or execute arbitrary SQL\ncommands. (CVE-2026-46445, CVE-2026-46446)\n\nIt was discovered that SOGo did not properly sanitize mail containing\nICS calendar invitations. A remote attacker could possibly use this\nissue to perform cross-site scripting attacks. This issue only\naffected Ubuntu 26.04 LTS. (CVE-2026-8496)\n\nIt was discovered that SOGo did not properly validate identifiers when\nmanaging access control lists. A remote authenticated attacker could\npossibly use this issue to perform SQL injection attacks and obtain\nsensitive information. (CVE-2026-8851)\n\nIt was discovered that SOGo did not properly sanitize the theme\nparameter. A remote attacker could possibly use this issue to perform\ncross-site scripting attacks. This issue only affected Ubuntu 18.04\nLTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2025-63499)\n\nIt was discovered that SOGo did not properly sanitize the userName\nparameter on the login page. A remote attacker could possibly use this\nissue to perform cross-site scripting attacks. This issue only\naffected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and\nUbuntu 22.04 LTS. (CVE-2025-63498)\n\nIt was discovered that SOGo did not properly sanitize attachments when\npreviewing them. A remote attacker could possibly use this issue to\nperform cross-site scripting attacks. This issue only affected Ubuntu\n16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.\n(CVE-2024-34462)\n\nIt was discovered that SOGo did not validate the signatures of SAML\nassertions it received when SAML was used for authentication. A remote\nattacker could possibly use this issue to impersonate other users.\nThis issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and\nUbuntu 20.04 LTS. (CVE-2021-33054)","modified":"2026-07-06T20:44:29.515784604Z","published":"2026-07-05T23:01:31Z","related":["UBUNTU-CVE-2021-33054","UBUNTU-CVE-2024-34462","UBUNTU-CVE-2025-63498","UBUNTU-CVE-2025-63499","UBUNTU-CVE-2025-71276","UBUNTU-CVE-2026-3054","UBUNTU-CVE-2026-33550","UBUNTU-CVE-2026-46445","UBUNTU-CVE-2026-46446","UBUNTU-CVE-2026-8496","UBUNTU-CVE-2026-8851"],"upstream":["CVE-2021-33054","CVE-2024-34462","CVE-2025-63498","CVE-2025-63499","CVE-2025-71276","CVE-2026-3054","CVE-2026-33550","CVE-2026-46445","CVE-2026-46446","CVE-2026-8496","CVE-2026-8851","UBUNTU-CVE-2021-33054","UBUNTU-CVE-2024-34462","UBUNTU-CVE-2025-63498","UBUNTU-CVE-2025-63499","UBUNTU-CVE-2025-71276","UBUNTU-CVE-2026-3054","UBUNTU-CVE-2026-33550","UBUNTU-CVE-2026-46445","UBUNTU-CVE-2026-46446","UBUNTU-CVE-2026-8496","UBUNTU-CVE-2026-8851"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8504-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-33054"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-34462"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-63498"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-63499"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-71276"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-3054"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-8496"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-8851"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-33550"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-46445"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-46446"}],"affected":[{"package":{"name":"sogo","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/sogo?arch=source&distro=esm-apps-legacy%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.17a-1.1ubuntu0.1~esm1"}]}],"versions":["2.2.17a-1","2.2.17a-1.1","2.2.17a-1.1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.2.17a-1.1ubuntu0.1~esm1","binary_name":"sogo"},{"binary_version":"2.2.17a-1.1ubuntu0.1~esm1","binary_name":"sogo-common"}],"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8504-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-33054"},{"id":"CVE-2024-34462","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-63498","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-8851","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-46445","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-46446"}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}},{"package":{"name":"sogo","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/sogo?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.10-1ubuntu0.1~esm1"}]}],"versions":["3.2.10-1","3.2.10-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"3.2.10-1ubuntu0.1~esm1","binary_name":"sogo"},{"binary_version":"3.2.10-1ubuntu0.1~esm1","binary_name":"sogo-common"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8504-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-33054"},{"id":"CVE-2024-34462","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2025-63498"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2025-63499"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2025-71276"},{"id":"CVE-2026-8851","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"medium","type":"Ubuntu"}]},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-46445"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-46446"}],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"sogo","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/sogo?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.0-1ubuntu0.1~esm1"}]}],"versions":["4.0.8-1","4.1.0-1","4.1.1-1","4.3.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"4.3.0-1ubuntu0.1~esm1","binary_name":"sogo"},{"binary_version":"4.3.0-1ubuntu0.1~esm1","binary_name":"sogo-common"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8504-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2021-33054"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-34462"},{"id":"CVE-2025-63498","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-63499","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-71276","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-8851"},{"id":"CVE-2026-46445","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-46446"}],"ecosystem":"Ubuntu:Pro:20.04:LTS"}}},{"package":{"name":"sogo","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/sogo?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.5.1-1ubuntu0.1~esm1"}]}],"versions":["5.1.0-1","5.2.0-1","5.2.0-3","5.3.0-1","5.3.0-1build2","5.4.0-1","5.5.0-1","5.5.1-1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.5.1-1ubuntu0.1~esm1","binary_name":"sogo"},{"binary_version":"5.5.1-1ubuntu0.1~esm1","binary_name":"sogo-activesync"},{"binary_version":"5.5.1-1ubuntu0.1~esm1","binary_name":"sogo-common"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8504-1.json","cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-34462"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2025-63498"},{"id":"CVE-2025-63499","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2025-71276"},{"id":"CVE-2026-8851","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"medium","type":"Ubuntu"}]},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-33550"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-46445"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-46446"}],"ecosystem":"Ubuntu:Pro:22.04:LTS"}}},{"package":{"name":"sogo","ecosystem":"Ubuntu:Pro:26.04:LTS","purl":"pkg:deb/ubuntu/sogo?arch=source&distro=esm-apps%2Fresolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.12.4-1.2ubuntu0.1~esm1"}]}],"versions":["5.12.1-3","5.12.4-1","5.12.4-1.1","5.12.4-1.2"],"ecosystem_specific":{"binaries":[{"binary_version":"5.12.4-1.2ubuntu0.1~esm1","binary_name":"sogo"},{"binary_version":"5.12.4-1.2ubuntu0.1~esm1","binary_name":"sogo-activesync"},{"binary_version":"5.12.4-1.2ubuntu0.1~esm1","binary_name":"sogo-common"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8504-1.json","cves_map":{"cves":[{"id":"CVE-2025-71276","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P","type":"CVSS_V4"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-3054"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-8496"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-8851"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-33550"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-46445"},{"id":"CVE-2026-46446","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:26.04:LTS"}}}],"schema_version":"1.7.5"}