{"api_version":"1","generated_at":"2026-05-14T14:11:27+00:00","cve":"CVE-2016-6191","urls":{"html":"https://cve.report/CVE-2016-6191","api":"https://cve.report/api/cve/CVE-2016-6191.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-6191","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-6191"},"summary":{"title":"CVE-2016-6191","description":"Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field.","state":"PUBLISHED","assigner":"mitre","published_at":"2017-02-17 17:59:00","updated_at":"2025-04-20 01:37:25"},"problem_types":["CWE-79","n/a"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"}}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2016/07/09/3","name":"http://www.openwall.com/lists/oss-security/2016/07/09/3","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch","VDB Entry"],"title":"oss-security - Re: CVE request: several SOGo issues (DOS, XSS, information leakage)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa","name":"https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"Escape HTML in raw source of events and tasks · inverse-inc/sogo@64ce3c9 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://sogo.nu/bugs/view.php?id=3718","name":"https://sogo.nu/bugs/view.php?id=3718","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"0003718: Persistent Cross-Site Scripting in calendar - SOGo | BTS","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-6191","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-6191","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"6191","vulnerable":"1","versionEndIncluding":"3.1.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"alinto","cpe5":"sogo","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T01:22:20.653Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2016/07/09/3"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://sogo.nu/bugs/view.php?id=3718"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2016-06-08T00:00:00.000Z","descriptions":[{"lang":"en","value":"Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-02-17T16:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)","tags":["mailing-list","x_refsource_MLIST"],"url":"http://www.openwall.com/lists/oss-security/2016/07/09/3"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa"},{"tags":["x_refsource_CONFIRM"],"url":"https://sogo.nu/bugs/view.php?id=3718"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2016-6191","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)","refsource":"MLIST","url":"http://www.openwall.com/lists/oss-security/2016/07/09/3"},{"name":"https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa","refsource":"CONFIRM","url":"https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa"},{"name":"https://sogo.nu/bugs/view.php?id=3718","refsource":"CONFIRM","url":"https://sogo.nu/bugs/view.php?id=3718"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2016-6191","datePublished":"2017-02-17T17:00:00.000Z","dateReserved":"2016-07-09T00:00:00.000Z","dateUpdated":"2024-08-06T01:22:20.653Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-02-17 17:59:00","lastModifiedDate":"2025-04-20 01:37:25","problem_types":["CWE-79","n/a"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*","versionEndIncluding":"3.1.2","matchCriteriaId":"A8489FF5-8F0F-4563-BE1A-785FF61F708A"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"6191","Ordinal":"1","Title":"CVE-2016-6191","CVE":"CVE-2016-6191","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"6191","Ordinal":"1","NoteData":"Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field.","Type":"Description","Title":"CVE-2016-6191"},{"CveYear":"2016","CveId":"6191","Ordinal":"2","NoteData":"2017-02-17","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"6191","Ordinal":"3","NoteData":"2017-02-17","Type":"Other","Title":"Modified"}]}}}