Volerion logoVolerion
Volerion logoVolerion

Alinto SOGo Cross-Site Scripting Vulnerability in Username Parameter

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Alinto SOGo version 5.12.3. The issue arises in the login functionality, specifically through the 'userName' parameter in POST requests to the '/SOGo/connect' endpoint. When the 'Remember Username' feature is activated, the application sets a cookie that can be exploited to execute injected JavaScript when the user returns to the authentication page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, enable the 'Remember Username' feature in Alinto SOGo. Then, send a POST request to the '/SOGo/connect' endpoint with a 'userName' parameter that includes a base64-encoded XSS payload, such as a script tag injection. The server response will include the encoded script, which is executed when the user revisits the login page.

Remediation

Users can update to Alinto SOGo version 5.12.4, where this vulnerability has been fixed.

Added: Nov 24, 2025, 9:17 PM
Updated: Nov 24, 2025, 9:17 PM

Vulnerability Rating

Custom Algorithm
spread
0.8
impact
1.7
exploitability
7.7
remediation
7.7
relevance
1.2
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.