CVE-2025-50340: 
Linux Debian vulnerability analysis and mitigation

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail through version 5.6.0. The vulnerability was assigned CVE-2025-50340 and was disclosed on August 4, 2025. The vulnerability affects the email-sending functionality of SOGo, a free and open-source webmail solution (SOGo Website, NVD).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) with a CVSS 3.1 Base Score of 4.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness is categorized as CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability stems from the server's failure to properly verify sender identity authorization in email-sending requests (NVD).

The vulnerability allows authenticated users to send emails impersonating other users within the system. This can lead to unauthorized communication, impersonation attacks, and potential phishing campaigns by manipulating the sender's identity in email communications (GitHub POC).

The recommended mitigation involves implementing strict server-side authorization checks to ensure users can only send emails from their own accounts. Organizations should verify that the authenticated user is the rightful owner of the email identity being used as the sender (GitHub POC).