Stored/Reflected XSS when add new domain in modoboa/modoboa

Valid

Reported on

Jan 20th 2023

#Description there is an XSS vulnerability that malicious script is injected directly in list of domain

Proof of Concept

1//go to admin/domains/
2/ click add to add a new domain
3/ in name section add this payload "><img src/onerror=prompt(8)> and you can see payload executed

POC

https://drive.google.com/file/d/1wfKb3Ath3nI-KOL8VJVjK6hYDm2rpNeZ/view?usp=sharing https://drive.google.com/file/d/1oFkYWuAwKlSXjCSC_IzTT46TVSe_UK4m/view?usp=sharing

Impact

Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user’s machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.

Occurrences

We are processing your report and will contact the modoboa team within 24 hours. 2 months ago
0ozero0 modified the report
2 months ago
We have contacted a member of the modoboa team and are waiting to hear back 2 months ago
modoboa/modoboa maintainer validated this vulnerability 2 months ago
0ozero0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
modoboa/modoboa maintainer
2 months ago

Maintainer

Here is a fix: https://github.com/modoboa/modoboa/pull/2757

0ozero0
2 months ago

Researcher

Hi @maintainer Yes looks fixed

0ozero0
2 months ago

Researcher

Hi @maintainer Can you validate this as fixed and move to CVE

modoboa/modoboa maintainer marked this as fixed in 2.0.4 with commit 354ab6 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
modoboa/modoboa maintainer published this vulnerability 2 months ago
domain.py#L2 has been validated
to join this conversation