Bugzilla – Bug 937786
CVE-2015-5395: lack of CSRF protection in sogo
Last modified: 2019-06-18 08:56:54 UTC
Courtesy bug from the SUSE Security team: http://www.sogo.nu/bugs/view.php?id=3246 0003246: No CSRF token - requests can be forged No CSRF token is used when creating events in calendar, adding contacts, ... An attacker can therefore prepare a website that triggers POST requests for a victim to preform actions under his/her account. only the username of the victim needs to be known. - create a new contact - intercept and save the request - replace your username with the username of the victim in the request - create a webpage that sends the POST request automatically - lure the victim into visiting your webpage - if the victim is still logged in the action will be performed (ie. send him/her an email with a link to your site) Dear maintainers, no upstream release is available. Reference this bug and CVE when you commit a patch or submit a fixed release. References: http://www.sogo.nu/bugs/view.php?id=3246 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5395 http://seclists.org/oss-sec/2015/q3/86 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5395
this issue needs to be solved upstream
The issue is resolved upstream for Versions 3 and 4 of SOGo: https://sogo.nu/bugs/view.php?id=3246 https://github.com/inverse-inc/sogo/commit/582baf2960969c73f98643e46cfb49432c30b711