CVE-2016-6190
4.3
MEDIUM
CVSS 3.1
EPSS 0.20%
Description
SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users.
How to fix CVE-2016-6190
To remediate CVE-2016-6190, upgrade the affected package to a fixed version below.
- Debian/sogo—upgrade to 3.2.4-0.2 or later
Is CVE-2016-6190 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.2.4-0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |