Alinto SOGo Cross-Site Scripting Vulnerability in Versions 5.12.3 and 5.12.4

A reflected cross-site scripting vulnerability has been identified in Alinto SOGo versions 5.12.3 and 5.12.4. The issue arises in the web login interface, where the application fails to properly sanitize user input passed through the 'hint' URL parameter. This lack of proper encoding allows remote attackers to inject and execute arbitrary JavaScript in the context of the victim's browser. The vulnerability can be exploited by convincing users to visit a specially crafted URL that includes the malicious payload.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the affected user's browser, potentially leading to session hijacking or other malicious actions.

Reproduction

To reproduce this vulnerability, send a request to the SOGo login interface with a crafted 'hint' parameter that includes a JavaScript payload. The injected script will be executed in the context of the user's browser.