CVE-2016-6189

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

CVSS v3.0 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://sogo.nu/bugs/view.php?id=3695	Exploit Vendor Advisory
https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d	Patch
https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225	Patch
http://www.openwall.com/lists/oss-security/2016/07/09/3	Mailing List VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:inverse:sogo::::::::
	cpe:2.3:a:inverse:sogo::::::::

Information

Published : 2017-02-17 17:59

Updated : 2019-11-07 21:58

NVD link : CVE-2016-6189

Mitre link : CVE-2016-6189

JSON object : View

Products Affected

inverse

sogo

CWE

CWE-184

Incomplete List of Disallowed Inputs

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://sogo.nu/bugs/view.php?id=3695", "name": "https://sogo.nu/bugs/view.php?id=3695", "tags": ["Exploit", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d", "name": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225", "name": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "http://www.openwall.com/lists/oss-security/2016/07/09/3", "name": "[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)", "tags": ["Mailing List", "VDB Entry"], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-184"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2016-6189", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}}, "publishedDate": "2017-02-17T17:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:inverse:sogo:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.3.12"}, {"cpe23Uri": "cpe:2.3:a:inverse:sogo:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.1.1", "versionStartIncluding": "3.0.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2019-11-07T21:58Z"}