CVE-2025-50340

Published: Aug 4, 2025Modified: Aug 15, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify whether the authenticated user is authorized to use the specified sender identity, resulting in unauthorized message delivery as another user. This can lead to impersonation, phishing, or unauthorized communication within the system. NOTE: this is disputed by the Supplier because the only effective way to prevent this sender spoofing is on the SMTP server, not within a client such as SOGo.

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110604

Source: cve@mitre.org

https://github.com/millad7/SOGo_web_mail-vulnerability-CVE-2025-50340

Source: cve@mitre.org

https://www.mail-archive.com/users%40sogo.nu/msg34098.html

Source: cve@mitre.org

https://www.sogo.nu/

Source: cve@mitre.org

Timeline

No history available yet.