Stored/Reflected XSS when add new domain in modoboa/modoboa


Reported on

Jan 20th 2023

#Description there is an XSS vulnerability that malicious script is injected directly in list of domain

Proof of Concept

1//go to admin/domains/
2/ click add to add a new domain
3/ in name section add this payload "><img src/onerror=prompt(8)> and you can see payload executed



Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user’s machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.


We are processing your report and will contact the modoboa team within 24 hours. 2 months ago
0ozero0 modified the report
2 months ago
We have contacted a member of the modoboa team and are waiting to hear back 2 months ago
modoboa/modoboa maintainer validated this vulnerability 2 months ago
0ozero0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
modoboa/modoboa maintainer
2 months ago


Here is a fix:

2 months ago


Hi @maintainer Yes looks fixed

2 months ago


Hi @maintainer Can you validate this as fixed and move to CVE

modoboa/modoboa maintainer marked this as fixed in 2.0.4 with commit 354ab6 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
modoboa/modoboa maintainer published this vulnerability 2 months ago has been validated
to join this conversation