SOGo 2.x prior to 2.4.1 and 3.x up to and including 5.x prior to 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
inverse sogo |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |