HTML Injection in Alinto/SOGo Web Client
Alinto
HTML Injection
SOGo Web Mail < 5.9.1
Phishing - In the body of the message, you can inject a malicious form that will send the entered data to the attacker.
The fix to prevent form tag in mail body has been made -> https://github.com/Alinto/sogo/commit/7481ccf37087c3f456d7e5a844da01d0f8883098
Spiridonov Ivan/E1tex
For demonstration purposes only. PoC Exploit works on SOGo vulnerable clients.