Hello, Yes, the author Millad has reported this to us in April. We share our point of view on this matter, and he dropped the conversation. I don't know why he has decided to open it anyway.
The CVE is very misleading because this is not "Allows the user to send emails on behalf of another user." SOGo will make the smtp request without checking if the from value is the same as the authenticated user. What happens next is up to your smtp server configuration. You can configure it to reject the mail if the from is not the address mail of the authenticated user. Plus, if the fake "from" uses a different domain, the spf will kick the mail later. It's your smtp server configuration that must handle those cases. SOGo is just a client of the smtp server. What Millad would have wanted is: Sogo answer 40X http code status in this case. However, there is a lot of legitimate reason for a user to use a different from than its authentication email, like aliases... Besides, if your imap/smtp server is public to allow the usage of Outlook/thunderbird/other, this feature won't help you and you have to configure the smtp server properly anyway. Hope it clarifies, Regards -- Quentin Hivert || Alinto || R&D Lead Developer 19 Quai Perrache 69002 Lyon www.alinto.com -----Original Message----- From: [email protected] <[email protected]> On Behalf Of "CERT OCD" Sent: mercredi 13 août 2025 20:05 To: [email protected] Subject: [SOGo] CVE-2025-50340 Status ? Hello SOGo Team, MITRE assigned CVE-2025-550340 [1] related to an alleged IDOR vulnerability - published 2 weeks ago [2]. The researcher days it affects 5.6.0 (May 2022) without saying it has been fixed (or not) by a newer version (5.7.0 ?). Are you aware of this issue ? Any status about the fix - if it has been fixed ? Thanks in advance. Best, [1] https://www.cve.org/CVERecord?id=CVE-2025-50340 [2] https://github.com/millad7/SOGo_web_mail-vulnerability-CVE-2025-50340
