SOGo prior to 2.3.12 and 3.x prior to 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
inverse-inc sogo 3.1.0 |
||
inverse-inc sogo 3.0.1 |
||
inverse-inc sogo |
||
inverse-inc sogo 3.0.0 |
||
inverse-inc sogo 3.0.2 |