Hello,
Thanks for reporting I will look into this and all the others issues you report.

Thank you qhivert! Please let me know if you have any questions or would like screenshots.

Just to be sure, in all your cases, it's the user itself or someone with the user access that "hacks" itself?

Correct, it's a self-XSS. I understand that lowers the severity considerably as is reflected in my rating of the issue. However, it's possible a user could be lured into performing some of these actions if they are socially engineered or if their account is compromised. There may be other avenues of exploiting these which may become available in the future which I either did not discover or are not yet possible. I'd consider them to be low-severity vulnerabilities under the current conditions though, I could certainly score them each for you if that may help.

What OS do you use, I've made a fix but I don't want to push it in the main branch yet. But I can build a package for you to test it.

I'm running it in docker through Mailcow, not sure how to best approach testing it. What are your thoughts?

Hello,
I've pushed the fix https://github.com/Alinto/sogo/commit/a7023bce1642ec1fd25fe68f0541407d78f321a0
It will be available in the next nightly. I don't have any idea how you could test that with mailcow though. I will let this issue open and close the others as this is the same problem/fix.

Thank you Qhivert, I'll test this ASAP. I'd like to register CVEs for these findings if that's alright!