{"url":"http://public2.vulnerablecode.io/api/packages/516400?format=json","purl":"pkg:deb/debian/sogo@2.0.5a-1~bpo70%2B1","type":"deb","namespace":"debian","name":"sogo","version":"2.0.5a-1~bpo70+1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.12.8-2","latest_non_vulnerable_version":"5.12.8-2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101098?format=json","vulnerability_id":"VCID-1m5x-69jd-1yh1","summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-9905","reference_id":"","reference_type":"","scores":[{"value":"0.006","scoring_system":"epss","scoring_elements":"0.6984","published_at":"2026-06-04T12:55:00Z"},{"value":"0.006","scoring_system":"epss","scoring_elements":"0.6988","published_at":"2026-06-05T12:55:00Z"},{"value":"0.006","scoring_system":"epss","scoring_elements":"0.69888","published_at":"2026-06-06T12:55:00Z"},{"value":"0.006","scoring_system":"epss","scoring_elements":"0.69878","published_at":"2026-06-07T12:55:00Z"},{"value":"0.006","scoring_system":"epss","scoring_elements":"0.69868","published_at":"2026-06-08T12:55:00Z"},{"value":"0.006","scoring_system":"epss","scoring_elements":"0.6989","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-9905"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9905","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9905"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516401?format=json","purl":"pkg:deb/debian/sogo@2.2.9%2Bgit20141017-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1uzg-nqg9-jbeh"},{"vulnerability":"VCID-4d98-ecc4-qbhj"},{"vulnerability":"VCID-5ucu-wd23-xqbd"},{"vulnerability":"VCID-655c-kzkc-mqax"},{"vulnerability":"VCID-ah2e-7pmy-duaq"},{"vulnerability":"VCID-b5ms-52tc-jyfr"},{"vulnerability":"VCID-tx17-dtch-bbd9"},{"vulnerability":"VCID-xb7e-naqj-jubc"},{"vulnerability":"VCID-xvd2-gc52-qkbd"},{"vulnerability":"VCID-ygwv-aqdf-pqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@2.2.9%252Bgit20141017-1"}],"aliases":["CVE-2014-9905"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1m5x-69jd-1yh1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101101?format=json","vulnerability_id":"VCID-1uzg-nqg9-jbeh","summary":"Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6189","reference_id":"","reference_type":"","scores":[{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.3848","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38569","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38571","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38543","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38514","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38524","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6189"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6189","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6189"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516402?format=json","purl":"pkg:deb/debian/sogo@3.2.6-1~bpo8%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ucu-wd23-xqbd"},{"vulnerability":"VCID-tx17-dtch-bbd9"},{"vulnerability":"VCID-xb7e-naqj-jubc"},{"vulnerability":"VCID-xvd2-gc52-qkbd"},{"vulnerability":"VCID-ygwv-aqdf-pqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@3.2.6-1~bpo8%252B1"}],"aliases":["CVE-2016-6189"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1uzg-nqg9-jbeh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101100?format=json","vulnerability_id":"VCID-4d98-ecc4-qbhj","summary":"Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6188","reference_id":"","reference_type":"","scores":[{"value":"0.01516","scoring_system":"epss","scoring_elements":"0.81554","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01516","scoring_system":"epss","scoring_elements":"0.81582","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01516","scoring_system":"epss","scoring_elements":"0.81585","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01516","scoring_system":"epss","scoring_elements":"0.81584","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01516","scoring_system":"epss","scoring_elements":"0.81576","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01516","scoring_system":"epss","scoring_elements":"0.81592","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6188"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6188","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6188"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516402?format=json","purl":"pkg:deb/debian/sogo@3.2.6-1~bpo8%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ucu-wd23-xqbd"},{"vulnerability":"VCID-tx17-dtch-bbd9"},{"vulnerability":"VCID-xb7e-naqj-jubc"},{"vulnerability":"VCID-xvd2-gc52-qkbd"},{"vulnerability":"VCID-ygwv-aqdf-pqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@3.2.6-1~bpo8%252B1"}],"aliases":["CVE-2016-6188"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4d98-ecc4-qbhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101113?format=json","vulnerability_id":"VCID-5ucu-wd23-xqbd","summary":"alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the \"userName\" parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-63498","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19522","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19473","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19517","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22465","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.2246","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-63498"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-63498","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-63498"},{"reference_url":"https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c","reference_id":"9e20190fad1a437f7e1307f0adcfe19a8d45184c","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-24T21:02:47Z/"}],"url":"https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c"},{"reference_url":"https://github.com/xryptoh/CVE-2025-63498","reference_id":"CVE-2025-63498","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-24T21:02:47Z/"}],"url":"https://github.com/xryptoh/CVE-2025-63498"},{"reference_url":"https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.4","reference_id":"SOGo-5.12.4","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-24T21:02:47Z/"}],"url":"https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195942?format=json","purl":"pkg:deb/debian/sogo@5.8.0-2%2Bdeb12u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9p9m-f8ew-uyc2"},{"vulnerability":"VCID-cw6q-wr8b-dkh2"},{"vulnerability":"VCID-dhtb-1qsf-fyc2"},{"vulnerability":"VCID-qd6g-z5mu-7be7"},{"vulnerability":"VCID-t3g4-3719-8qfc"},{"vulnerability":"VCID-va35-68ne-mya3"},{"vulnerability":"VCID-zrpr-8nxx-zbc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@5.8.0-2%252Bdeb12u2"}],"aliases":["CVE-2025-63498"],"risk_score":2.8,"exploitability":"0.5","weighted_severity":"5.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5ucu-wd23-xqbd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101099?format=json","vulnerability_id":"VCID-655c-kzkc-mqax","summary":"Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-5395","reference_id":"","reference_type":"","scores":[{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.5293","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52991","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52998","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52978","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52953","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52977","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-5395"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5395","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5395"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796197","reference_id":"796197","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796197"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516402?format=json","purl":"pkg:deb/debian/sogo@3.2.6-1~bpo8%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ucu-wd23-xqbd"},{"vulnerability":"VCID-tx17-dtch-bbd9"},{"vulnerability":"VCID-xb7e-naqj-jubc"},{"vulnerability":"VCID-xvd2-gc52-qkbd"},{"vulnerability":"VCID-ygwv-aqdf-pqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@3.2.6-1~bpo8%252B1"}],"aliases":["CVE-2015-5395"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-655c-kzkc-mqax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101102?format=json","vulnerability_id":"VCID-ah2e-7pmy-duaq","summary":"SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the \"View the Date & Time\" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6190","reference_id":"","reference_type":"","scores":[{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41936","published_at":"2026-06-04T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42011","published_at":"2026-06-05T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42021","published_at":"2026-06-06T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41992","published_at":"2026-06-07T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41957","published_at":"2026-06-08T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41965","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6190"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6190","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6190"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516402?format=json","purl":"pkg:deb/debian/sogo@3.2.6-1~bpo8%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ucu-wd23-xqbd"},{"vulnerability":"VCID-tx17-dtch-bbd9"},{"vulnerability":"VCID-xb7e-naqj-jubc"},{"vulnerability":"VCID-xvd2-gc52-qkbd"},{"vulnerability":"VCID-ygwv-aqdf-pqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@3.2.6-1~bpo8%252B1"}],"aliases":["CVE-2016-6190"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ah2e-7pmy-duaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101103?format=json","vulnerability_id":"VCID-b5ms-52tc-jyfr","summary":"Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6191","reference_id":"","reference_type":"","scores":[{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56357","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56413","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56419","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56407","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.5639","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56408","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6191"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6191","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6191"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516402?format=json","purl":"pkg:deb/debian/sogo@3.2.6-1~bpo8%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ucu-wd23-xqbd"},{"vulnerability":"VCID-tx17-dtch-bbd9"},{"vulnerability":"VCID-xb7e-naqj-jubc"},{"vulnerability":"VCID-xvd2-gc52-qkbd"},{"vulnerability":"VCID-ygwv-aqdf-pqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@3.2.6-1~bpo8%252B1"}],"aliases":["CVE-2016-6191"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b5ms-52tc-jyfr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101112?format=json","vulnerability_id":"VCID-tx17-dtch-bbd9","summary":"Alinto SOGo through 5.10.0 allows XSS during attachment preview.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34462","reference_id":"","reference_type":"","scores":[{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.27971","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00109","scoring_system":"epss","scoring_elements":"0.2876","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00109","scoring_system":"epss","scoring_elements":"0.28725","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00109","scoring_system":"epss","scoring_elements":"0.2869","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00126","scoring_system":"epss","scoring_elements":"0.31341","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34462"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34462","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34462"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071163","reference_id":"1071163","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071163"},{"reference_url":"https://github.com/Alinto/sogo/commit/2e37e59ed140d4aee0ff2fba579ca5f83f2c5920","reference_id":"2e37e59ed140d4aee0ff2fba579ca5f83f2c5920","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-05T14:09:26Z/"}],"url":"https://github.com/Alinto/sogo/commit/2e37e59ed140d4aee0ff2fba579ca5f83f2c5920"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195942?format=json","purl":"pkg:deb/debian/sogo@5.8.0-2%2Bdeb12u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9p9m-f8ew-uyc2"},{"vulnerability":"VCID-cw6q-wr8b-dkh2"},{"vulnerability":"VCID-dhtb-1qsf-fyc2"},{"vulnerability":"VCID-qd6g-z5mu-7be7"},{"vulnerability":"VCID-t3g4-3719-8qfc"},{"vulnerability":"VCID-va35-68ne-mya3"},{"vulnerability":"VCID-zrpr-8nxx-zbc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@5.8.0-2%252Bdeb12u2"}],"aliases":["CVE-2024-34462"],"risk_score":2.8,"exploitability":"0.5","weighted_severity":"5.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tx17-dtch-bbd9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101105?format=json","vulnerability_id":"VCID-xb7e-naqj-jubc","summary":"Cross Site Scripting (XSS) vulnerability in SOGo Web Mail before 4.3.1 allows attackers to obtain user sensitive information when a user reads an email containing malicious code.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-22402","reference_id":"","reference_type":"","scores":[{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30084","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30069","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30092","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30164","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30128","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30098","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-22402"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22402","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22402"},{"reference_url":"https://sogo.nu/bugs/view.php?id=4979","reference_id":"view.php?id=4979","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T17:02:02Z/"}],"url":"https://sogo.nu/bugs/view.php?id=4979"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195941?format=json","purl":"pkg:deb/debian/sogo@5.0.1-4%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ucu-wd23-xqbd"},{"vulnerability":"VCID-6erg-kjz7-kqdz"},{"vulnerability":"VCID-9p9m-f8ew-uyc2"},{"vulnerability":"VCID-az7h-naug-83gx"},{"vulnerability":"VCID-cw6q-wr8b-dkh2"},{"vulnerability":"VCID-dhtb-1qsf-fyc2"},{"vulnerability":"VCID-qd6g-z5mu-7be7"},{"vulnerability":"VCID-t3g4-3719-8qfc"},{"vulnerability":"VCID-tg7q-8tw6-wyfx"},{"vulnerability":"VCID-tx17-dtch-bbd9"},{"vulnerability":"VCID-va35-68ne-mya3"},{"vulnerability":"VCID-xvd2-gc52-qkbd"},{"vulnerability":"VCID-zmac-e9t8-d7cg"},{"vulnerability":"VCID-zrpr-8nxx-zbc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@5.0.1-4%252Bdeb11u1"}],"aliases":["CVE-2020-22402"],"risk_score":1.5,"exploitability":"0.5","weighted_severity":"3.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xb7e-naqj-jubc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101114?format=json","vulnerability_id":"VCID-xvd2-gc52-qkbd","summary":"Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-63499","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01879","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01865","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01876","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01884","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.0296","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-63499"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-63499","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-63499"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121952","reference_id":"1121952","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121952"},{"reference_url":"https://github.com/poblaguev-tot/CVE-2025-63499","reference_id":"CVE-2025-63499","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-05T17:31:21Z/"}],"url":"https://github.com/poblaguev-tot/CVE-2025-63499"},{"reference_url":"https://email.example.com/SOGo/so/victim@example.com/Mail/view?theme=%27%3CScRiPt%20%3Ealert%289998%29%3C%2FScRiPt%3E","reference_id":"view?theme=%27%3CScRiPt%20%3Ealert%289998%29%3C%2FScRiPt%3E","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-05T17:31:21Z/"}],"url":"https://email.example.com/SOGo/so/victim@example.com/Mail/view?theme=%27%3CScRiPt%20%3Ealert%289998%29%3C%2FScRiPt%3E"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195942?format=json","purl":"pkg:deb/debian/sogo@5.8.0-2%2Bdeb12u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9p9m-f8ew-uyc2"},{"vulnerability":"VCID-cw6q-wr8b-dkh2"},{"vulnerability":"VCID-dhtb-1qsf-fyc2"},{"vulnerability":"VCID-qd6g-z5mu-7be7"},{"vulnerability":"VCID-t3g4-3719-8qfc"},{"vulnerability":"VCID-va35-68ne-mya3"},{"vulnerability":"VCID-zrpr-8nxx-zbc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@5.8.0-2%252Bdeb12u2"}],"aliases":["CVE-2025-63499"],"risk_score":2.8,"exploitability":"0.5","weighted_severity":"5.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xvd2-gc52-qkbd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101106?format=json","vulnerability_id":"VCID-ygwv-aqdf-pqe7","summary":"SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-33054","reference_id":"","reference_type":"","scores":[{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30479","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30552","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30519","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30489","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30456","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30472","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-33054"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33054","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33054"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989479","reference_id":"989479","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989479"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516404?format=json","purl":"pkg:deb/debian/sogo@4.0.7-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ucu-wd23-xqbd"},{"vulnerability":"VCID-tx17-dtch-bbd9"},{"vulnerability":"VCID-xb7e-naqj-jubc"},{"vulnerability":"VCID-xvd2-gc52-qkbd"},{"vulnerability":"VCID-ygwv-aqdf-pqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@4.0.7-1%252Bdeb10u2"},{"url":"http://public2.vulnerablecode.io/api/packages/195941?format=json","purl":"pkg:deb/debian/sogo@5.0.1-4%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ucu-wd23-xqbd"},{"vulnerability":"VCID-6erg-kjz7-kqdz"},{"vulnerability":"VCID-9p9m-f8ew-uyc2"},{"vulnerability":"VCID-az7h-naug-83gx"},{"vulnerability":"VCID-cw6q-wr8b-dkh2"},{"vulnerability":"VCID-dhtb-1qsf-fyc2"},{"vulnerability":"VCID-qd6g-z5mu-7be7"},{"vulnerability":"VCID-t3g4-3719-8qfc"},{"vulnerability":"VCID-tg7q-8tw6-wyfx"},{"vulnerability":"VCID-tx17-dtch-bbd9"},{"vulnerability":"VCID-va35-68ne-mya3"},{"vulnerability":"VCID-xvd2-gc52-qkbd"},{"vulnerability":"VCID-zmac-e9t8-d7cg"},{"vulnerability":"VCID-zrpr-8nxx-zbc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@5.0.1-4%252Bdeb11u1"}],"aliases":["CVE-2021-33054"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ygwv-aqdf-pqe7"}],"fixing_vulnerabilities":[],"risk_score":"2.8","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sogo@2.0.5a-1~bpo70%252B1"}