SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin.
{
"binaries": [
{
"binary_name": "sogo",
"binary_version": "5.5.1-1ubuntu0.1~esm1"
},
{
"binary_name": "sogo-activesync",
"binary_version": "5.5.1-1ubuntu0.1~esm1"
},
{
"binary_name": "sogo-common",
"binary_version": "5.5.1-1ubuntu0.1~esm1"
}
],
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro"
}{
"binaries": [
{
"binary_name": "sogo",
"binary_version": "5.12.4-1.2ubuntu0.1~esm1"
},
{
"binary_name": "sogo-activesync",
"binary_version": "5.12.4-1.2ubuntu0.1~esm1"
},
{
"binary_name": "sogo-common",
"binary_version": "5.12.4-1.2ubuntu0.1~esm1"
}
],
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro"
}