{"api_version":"1","generated_at":"2026-05-14T14:11:26+00:00","cve":"CVE-2016-6189","urls":{"html":"https://cve.report/CVE-2016-6189","api":"https://cve.report/api/cve/CVE-2016-6189.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-6189","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-6189"},"summary":{"title":"CVE-2016-6189","description":"Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.","state":"PUBLISHED","assigner":"mitre","published_at":"2017-02-17 17:59:00","updated_at":"2025-04-20 01:37:25"},"problem_types":["CWE-184","n/a"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"4","severity":"","vector":"AV:N/AC:L/Au:S/C:P/I:N/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d","name":"https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"(fix) improved previous commit for attributes stripping and UID gener… · inverse-inc/sogo@875a4ac · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2016/07/09/3","name":"http://www.openwall.com/lists/oss-security/2016/07/09/3","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","VDB Entry"],"title":"oss-security - Re: CVE request: several SOGo issues (DOS, XSS, information leakage)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://sogo.nu/bugs/view.php?id=3695","name":"https://sogo.nu/bugs/view.php?id=3695","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Vendor Advisory"],"title":"0003695: Private information leakage through ics/XML feeds when restricted to \"View the Date & Time\" - SOGo | BTS","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225","name":"https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"(fix) improved previous commit for attributes stripping and UID gener… · inverse-inc/sogo@717f45f · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-6189","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-6189","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"6189","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"alinto","cpe5":"sogo","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T01:22:20.752Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"},{"name":"[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2016/07/09/3"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://sogo.nu/bugs/view.php?id=3695"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2016-07-04T00:00:00.000Z","descriptions":[{"lang":"en","value":"Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-02-17T16:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"},{"name":"[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)","tags":["mailing-list","x_refsource_MLIST"],"url":"http://www.openwall.com/lists/oss-security/2016/07/09/3"},{"tags":["x_refsource_CONFIRM"],"url":"https://sogo.nu/bugs/view.php?id=3695"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2016-6189","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d","refsource":"CONFIRM","url":"https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"},{"name":"https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225","refsource":"CONFIRM","url":"https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"},{"name":"[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)","refsource":"MLIST","url":"http://www.openwall.com/lists/oss-security/2016/07/09/3"},{"name":"https://sogo.nu/bugs/view.php?id=3695","refsource":"CONFIRM","url":"https://sogo.nu/bugs/view.php?id=3695"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2016-6189","datePublished":"2017-02-17T17:00:00.000Z","dateReserved":"2016-07-09T00:00:00.000Z","dateUpdated":"2024-08-06T01:22:20.752Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-02-17 17:59:00","lastModifiedDate":"2025-04-20 01:37:25","problem_types":["CWE-184","n/a"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*","versionEndExcluding":"2.3.12","matchCriteriaId":"5D75E49A-4A29-46E4-82AF-2AF4CA019014"},{"vulnerable":true,"criteria":"cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.1.1","matchCriteriaId":"0C9075E1-13A1-42BC-8141-8981BD1B3640"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"6189","Ordinal":"1","Title":"CVE-2016-6189","CVE":"CVE-2016-6189","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"6189","Ordinal":"1","NoteData":"Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.","Type":"Description","Title":"CVE-2016-6189"},{"CveYear":"2016","CveId":"6189","Ordinal":"2","NoteData":"2017-02-17","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"6189","Ordinal":"3","NoteData":"2017-02-17","Type":"Other","Title":"Modified"}]}}}