Detections
Analytics

CVE-2025-50340

medium

Description

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify whether the authenticated user is authorized to use the specified sender identity, resulting in unauthorized message delivery as another user. This can lead to impersonation, phishing, or unauthorized communication within the system. NOTE: this is disputed by the Supplier because the only effective way to prevent this sender spoofing is on the SMTP server, not within a client such as SOGo.

References

https://www.sogo.nu/

https://www.mail-archive.com/users%40sogo.nu/msg34098.html

https://github.com/millad7/SOGo_web_mail-vulnerability-CVE-2025-50340

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110604

Details

Source: Mitre, NVD

Published: 2025-08-04

Updated: 2025-08-15

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00018