SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin.
2.2.17a-12.2.17a-1.12.2.17a-1.1build13.2.10-13.2.10-1build14.0.8-14.1.0-14.1.1-14.3.0-15.1.0-15.2.0-15.2.0-35.3.0-15.3.0-1build25.4.0-15.5.0-15.5.1-15.11.2-45.12.1-15.12.1-1build25.12.1-25.12.1-35.12.1-35.12.4-15.12.4-1.15.12.4-1.2Exploitability
AV:NAC:HPR:LUI:NScope
S:UImpact
C:HI:HA:LCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L