Login Sign Up

CVE-2025-63498

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

CVE-2025-63498 is a cross-site scripting (XSS) vulnerability in alinto SOGo 5.12.3 that allows attackers to inject malicious scripts via the 'userName' parameter. When exploited, this can lead to session hijacking, credential theft, or unauthorized actions in the context of the victim's session. This affects all SOGo deployments running version 5.12.3 or earlier.

💻 Affected Systems

Products:
  • alinto SOGo
Versions: 5.12.3 and earlier
Operating Systems: All platforms running SOGo
Default Config Vulnerable: ⚠️ Yes
Notes: All SOGo deployments with the vulnerable version are affected regardless of configuration.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Sogo by Alinto

View all CVEs affecting Sogo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, compromise user accounts, perform unauthorized actions as authenticated users, and potentially pivot to other systems.

🟠

Likely Case

Attackers steal user session cookies or credentials, leading to account compromise and unauthorized access to email/calendar data.

🟢

If Mitigated

Limited to session hijacking of users who interact with malicious content, with no privilege escalation beyond the victim's permissions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (clicking a malicious link) but is technically simple once the payload is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SOGo 5.12.4

Vendor Advisory: https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.4

Restart Required: Yes

Instructions:

1. Backup current SOGo configuration and data. 2. Download SOGo 5.12.4 from official repository. 3. Stop SOGo service. 4. Install the new version. 5. Restart SOGo service. 6. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the userName parameter

# Requires custom code modification to SOGo source

Content Security Policy

all

Implement strict CSP headers to mitigate XSS impact

# Add to web server config: Content-Security-Policy: default-src 'self'

🧯 If You Can't Patch

  • Implement WAF rules to block malicious userName parameter values
  • Restrict access to SOGo interface to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check SOGo version: if version is 5.12.3 or earlier, system is vulnerable

Check Version:

sogo-tool version | grep 'SOGo'

Verify Fix Applied:

Confirm SOGo version is 5.12.4 or later and test userName parameter with XSS payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual userName parameter values containing script tags or JavaScript code
  • Multiple failed login attempts with suspicious userName values

Network Indicators:

  • HTTP requests with userName parameter containing script tags or encoded payloads

SIEM Query:

web_requests userName=*script* OR userName=*javascript* OR userName=*onload*

📊 Metadata

CVE ID: CVE-2025-63498
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.07% exploit probability (20.5th percentile)
Published: November 24, 2025
Last Updated: December 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63498, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)