Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allow sremote authenticated users to obtain sensitive information by read ing the fields in the ics or XML calendar feeds.