CVE-2014-9905
Published: 17 February 2017
Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields.
Notes
| Author | Note |
|---|---|
| tyhicks | upstream bug tracker says this is fixed in 2.2.0 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
sogo Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
|
| bionic |
Not vulnerable
|
|
| cosmic |
Not vulnerable
|
|
| disco |
Not vulnerable
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Needs triage
|
|
| wily |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
| yakkety |
Not vulnerable
|
|
| zesty |
Not vulnerable
|
|
|
Patches: upstream: https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9 upstream: https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765 upstream: https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501 upstream: https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |