Alinto Sogo Cross-Site Scripting Vulnerability in the Theme Parameter

A reflected cross-site scripting vulnerability has been identified in Alinto Sogo version 5.12.3. The issue arises in the theme parameter, where an attacker can inject malicious scripts that are executed in the context of the user's browser. To successfully exploit this vulnerability, knowledge of the victim's email address is required, along with the ability to send the payload to that specific individual. Additionally, the victim must have a valid Sogo session.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a request to the Sogo mail view endpoint, including a payload in the theme parameter that contains a script tag. The payload must be crafted to execute JavaScript, such as an alert. Ensure that the target user has a valid Sogo session and is aware of the incoming payload, as the vulnerability relies on the victim's email address being known and the payload being transmitted to them.

Remediation

Users can update to Alinto Sogo version 5.12.4 or later, where this vulnerability has been fixed.