Insecure Direct Object Reference (IDOR vulnerability) in SOGo Webmail Allows a user to send emails on behalf of another user. # CVE-2025-50340: Insecure Direct Object Reference (IDOR vulnerability) in SOGo Webmail
CVE ID: CVE-2025-50340
Reporter: Milad Seddigh
Product: SOGo
Affected Versions: v5.6.0
Impact: Insecure Direct Object Reference (IDOR vulnerability) → Allows the user to send emails on behalf of another user.
## Summary
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail, allowing an
authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email
sending request. The server fails to verify whether the authenticated user is authorized to use the specified sender
identity, resulting in unauthorized message delivery as another user. This can lead to impersonation, phishing, or
unauthorized communication within the system.
## Steps to Reproduce
1- Login to your account.
2- Send an email and intercept your request using Burp Suite.
3- Change the “from” parameter to victim’s email address to send on behalf of victim.
4- The response server shows the success in sending the email on behalf of another user.
## Mitigation
Enforce Proper Authorization:
Implement strict server-side authorization checks to ensure that users can only perform actions on resources they are explicitly authorized to access.
Verify that the authenticated user is the rightful owner of the email identity being used as the sender (from address).
[4.0K] /data/pocs/57cdfcb1f50edded9b94a1784605aa4bfd8252cd
├── [1.4K] CVE-2025-50340
└── [1.4K] README.md
0 directories, 2 files