Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-4558: Release SOGo v5.8.0 · Alinto/sogo

A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is 1e0f5f00890f751e84d67be4f139dd7f00faa5f3. It is recommended to upgrade the affected component. The identifier VDB-215961 was assigned to this vulnerability.

CVE
Open in Source
#xss#vulnerability#js

The Alinto team is pleased to announce the immediate availability of SOGo v5.8.0. This is a minor release of SOGo which focuses on various enhancements and improved stability over previous versions.

Features

  • password-recovery: Add password recovery with secret question or secondary email (656807b 77062be 33940b1 e269df8 b7531bc c4dd695 1ea8b9f 2e1b22c 440a15b 58540f1 d363474 9b023f4 18c92da d50080e)

Bug Fixes

  • addressbook: Fix invalid template (04dd78d)
  • addressbook: Fix NSException on address book where uppercaseString is called on data (c62b043)
  • calendar(js): destination calendars of new components (3eeebbc), closes #5581
  • calendar: Update c_startdate field when updating event. Fixes #4376 (549d6a8)
  • core: Fix NSException when c_content is NULL. Closes #5644. Original fix by @jvdsn. (2786064)
  • mail(js): fix validation of email addresses. Closes #5594 (d194b1e)
  • security: Security fix for WSTG-INPV-02. Add XSS protection. Fixes #5642. (efac49a f5c6fcc dcbfd83 714acfc 1e0f5f0 b1f8489 6971ebd a010f62)
  • ui: Change active user name on top left with primary identity (49879ef 26b9429)
  • eas: Use bare email address. Closes #5612 and #5640 (2d9a709 e1c7e32)
  • eas: Ensure correct encoding of attachments. Closes #5330 (dff907a)
  • eas: Ensure Templates and Junk folder exits. Closes #5626 (2ffe3d7)

Enhancements

  • mail: Improve IMAP fetch sorting using NSDictionary keys instead of indexOfObject (40b5c09 48c7375 60ec315 38e886a)
  • calendar: Add SOGoDisableOrganizerEventCheck parameter - this parameter is used to avoid checking calendar event’s organizer (cddfdb9)
  • calendar: Refresh data when clicking on ‘today’ (5fb82fe)
  • login: Add button to discover password (7bfa900)

Localization

  • da_DK: Update Danish translations (37291fa 0409ee3)
  • fr: Update French translations (4c01ea2)
  • nb_NO: Update Norwegian Bokmål translations (119e387 57fb622 96cd188 0cd7a17)
  • sr: Update Serbian translations (e51aee8)

See the closed tickets for this release and the complete change log.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE