Your message dated Fri, 15 Aug 2025 06:56:40 +0000
with message-id <[email protected]>
and subject line Re: Bug#1110604: sogo: CVE-2025-50340
has caused the Debian Bug report #1110604,
regarding sogo: CVE-2025-50340
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110604: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110604
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sogo
Version: 5.12.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi Jordi,
The following vulnerability was published for sogo.
CVE-2025-50340[0]:
| An Insecure Direct Object Reference (IDOR) vulnerability was
| discovered in SOGo Webmail thru 5.6.0, allowing an authenticated
| user to send emails on behalf of other users by manipulating a user-
| controlled identifier in the email-sending request. The server fails
| to verify whether the authenticated user is authorized to use the
| specified sender identity, resulting in unauthorized message
| delivery as another user. This can lead to impersonation, phishing,
| or unauthorized communication within the system.
it is unclear if this is something which can be tackled in SoGo, and
if there is a fixed version upstream. That the CVE description
mentions only versions up to 5.6.0 is unfortunately no clear
indication, and neither the 5.7.0 release notes seem to have something
in that direcion.
Can you thus please investigate (keep [email protected] in loop please)?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-50340
https://www.cve.org/CVERecord?id=CVE-2025-50340
[1] https://github.com/millad7/SOGo_web_mail-vulnerability-CVE-2025-50340
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
On Thu, Aug 14, 2025 at 08:57:43PM +0200, Peter Wienemann wrote:
> Hi,
>
> On 2025-08-09 11:40:28, Salvatore Bonaccorso wrote:
> > Hi Jordi,
> >
> > The following vulnerability was published for sogo.
> >
> > CVE-2025-50340[0]:
> > | An Insecure Direct Object Reference (IDOR) vulnerability was
> > | discovered in SOGo Webmail thru 5.6.0, allowing an authenticated
> > | user to send emails on behalf of other users by manipulating a user-
> > | controlled identifier in the email-sending request. The server fails
> > | to verify whether the authenticated user is authorized to use the
> > | specified sender identity, resulting in unauthorized message
> > | delivery as another user. This can lead to impersonation, phishing,
> > | or unauthorized communication within the system.
> >
> > it is unclear if this is something which can be tackled in SoGo, and
> > if there is a fixed version upstream. That the CVE description
> > mentions only versions up to 5.6.0 is unfortunately no clear
> > indication, and neither the 5.7.0 release notes seem to have something
> > in that direcion.
> >
> > Can you thus please investigate (keep [email protected] in loop please)?
>
> today one of the upstream developers made a statement on CVE-2025-50340:
>
> https://www.mail-archive.com/users%40sogo.nu/msg34098.html
Thanks! We've marked it as a non issue in the Debian Security tracker and
let's also close this bug.
Cheers,
Moritz
--- End Message ---
