XSS in /admin/domains when filtering a specific tag in modoboa/modoboa
Feb 18th 2023
Reflected XSS happens when filtering a specific tag in the Domains page and changing the "domfilter" URL query parameter to the malicious string.
Proof of Concept
1 - Login as a domain admin
2 - Go to the Domains page
3 - Click on one of the existing tags
4 - Change the domfilter query parameter value to <script>alert(document.cookie);</script>
5 - Enter and refresh page
Link for PoC: https://drive.google.com/file/d/14vWZiE6b4-l0u57jo-T-mILSz8NiLA-1/view?usp=share_link
XSS can cause a variety of problems for the end-user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.
PR with fix: https://github.com/modoboa/modoboa/pull/2797
Tested in a dev environment with the changes and seems to be fixed. Could you validate as fixed and assign a CVE?