Admin TakeOver in modoboa/modoboa


Reported on

Jan 26th 2023


The endpoint /api/v2/token/ allows an unauthorized user to perform brute-forcing and the app doesn't block the request which not having any SESSION COOKIE or even CSRF token


POST /api/v2/token/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------25524418606542250161357131552
Content-Length: 301
Upgrade-Insecure-Requests: 1
Sec-Fetch-User: ?1
Sec-Gpc: 1
Te: trailers
Connection: close

Content-Disposition: form-data; name="username"

Content-Disposition: form-data; name="password"


This request returns 2 types of response codes.

--> HTTP/1.1 401 Unauthorized ::  For Incorrect Password
--> HTTP/1.1 200 OK   :: For Correct Password 

Proof Of Concept



Admin Take Over


We are processing your report and will contact the modoboa team within 24 hours. 2 months ago
We have contacted a member of the modoboa team and are waiting to hear back 2 months ago
Antoine Nguyen validated this vulnerability 2 months ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Antoine Nguyen marked this as fixed in 2.0.4 with commit 47d17a 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Antoine Nguyen published this vulnerability 2 months ago
12 days ago


@Maintainer @Admin

Is it possible to add here:

to join this conversation