Listen to this Post
The vulnerability exists in SOGo, an open-source groupware server, affecting versions prior to 5.12.5. It is a stored Cross-Site Scripting (XSS) flaw that resides in how the application handles categories assigned to events, tasks, and contacts. User-controlled input in category fields is not properly sanitized or escaped before being rendered in the web interface. An authenticated attacker can inject malicious JavaScript payloads into a category name. When any other user views a calendar event, task, or contact that uses the tainted category, the payload executes in their browser within the context of the SOGo session. This allows the attacker to steal session cookies, perform unauthorized actions on behalf of the victim, or deface the interface. The attack requires the victim to view the manipulated item; no direct interaction beyond that is needed. The injected script persists in the database until the category is manually cleaned. The root cause is insufficient output encoding in the UI components that display category tags. Because categories are shared across users (e.g., in shared calendars), the impact can propagate quickly in collaborative environments. The issue was addressed in SOGo 5.12.5 by introducing proper HTML escaping and Content Security Policy (CSP) improvements. Publicly available advisories confirm the vulnerability and the fixed version.
Platform: SOGo groupware server
Version: before 5.12.5
Vulnerability: Stored cross-site scripting
Severity: Medium (CVSS 6.1)
date: 2026-03-21
Prediction: Already patched 5.12.5
What Undercode Say:
Check installed SOGo version
sogod --version
Test for vulnerable categories via curl (requires authenticated session)
curl -X PUT -H "Content-Type: application/json" -d '{"categories":["<script>alert(1)</script>"]}' \
"https://target/SOGo/so/<user>/calendar/personal/<event-id>/"
Verify sanitization in fixed version (expected escaped output)
curl -s "https://target/SOGo/so/<user>/calendar/personal/<event-id>" | grep -o "<script>"
Exploit:
1. Authenticate to SOGo as an attacker.
- Create or edit a calendar event, task, or contact.
- Set a category field to: `
`
4. Save the item.
- Wait for a victim to view the same item (e.g., shared calendar).
- Payload executes in victim’s browser, stealing session tokens.
Protection from this CVE
- Upgrade to SOGo version 5.12.5 or later.
- Apply strict Content Security Policy (CSP) headers to block inline scripts.
- Sanitize all user-supplied category names using a library like OWASP Java Encoder.
- Disable shared calendars if upgrade is not immediately possible.
Impact
- Session hijacking allowing full account takeover.
- Unauthorized modification of calendar/task/contact data.
- Phishing via injected content within the trusted SOGo interface.
- Potential lateral movement in environments with shared groupware access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

