CVE-2025-50340

Published: Aug 4, 2025

Modified: Aug 15, 2025

PUBLISHED

Description

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify whether the authenticated user is authorized to use the specified sender identity, resulting in unauthorized message delivery as another user. This can lead to impersonation, phishing, or unauthorized communication within the system. NOTE: this is disputed by the Supplier because the only effective way to prevent this sender spoofing is on the SMTP server, not within a client such as SOGo.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.sogo.nu/

https://github.com/millad7/SOGo_web_mail-vulnerability-CVE-2025-50340

https://www.mail-archive.com/users%40sogo.nu/msg34098.html

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110604

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-50340

Description

Affected Products

References