Vulnerability Details : CVE-2014-9905
Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2014-9905
Probability of exploitation activity in the next 30 days: 0.22%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 59 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-9905
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2014-9905
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-9905
-
https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9
Escape HTML in JSON of calendar module · inverse-inc/sogo@1a7fc2a · GitHubPatch
-
https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625
Escape HTML in CSS dialogs · inverse-inc/sogo@c94595e · GitHubPatch
-
https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765
Escape HTML in JSON of contacts module · inverse-inc/sogo@80a0940 · GitHubPatch
-
http://www.openwall.com/lists/oss-security/2016/07/09/3
oss-security - Re: CVE request: several SOGo issues (DOS, XSS, information leakage)Mailing List;Patch;VDB Entry
-
https://sogo.nu/bugs/view.php?id=2598
0002598: Script injection in calendar title - SOGo - BTSVendor Advisory
-
https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501
Decode HTML entities in JSON of calendar module · inverse-inc/sogo@3a5e44e · GitHubPatch
Products affected by CVE-2014-9905
- cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*