Vulnerability Details CVE-2016-6190
SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.4%
CVSS Severity
CVSS v3 Score 4.3
CVSS v2 Score 4.0
References
- http://www.openwall.com/lists/oss-security/2016/07/09/3
- https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
- https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
- https://sogo.nu/bugs/view.php?id=3696
- http://www.openwall.com/lists/oss-security/2016/07/09/3
- https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
- https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
- https://sogo.nu/bugs/view.php?id=3696
Products affected by CVE-2016-6190
-
cpe:2.3:a:inverse-inc:sogo:*
-
cpe:2.3:a:inverse-inc:sogo:3.0.0
-
cpe:2.3:a:inverse-inc:sogo:3.0.1
-
cpe:2.3:a:inverse-inc:sogo:3.0.2
-
cpe:2.3:a:inverse-inc:sogo:3.1.0