Stored/Reflected XSS when add new domain in modoboa/modoboa

Valid

Reported on

Jan 20th 2023


#Description there is an XSS vulnerability that malicious script is injected directly in list of domain

Proof of Concept

1//go to admin/domains/
2/ click add to add a new domain
3/ in name section add this payload "><img src/onerror=prompt(8)> and you can see payload executed

POC

https://drive.google.com/file/d/1wfKb3Ath3nI-KOL8VJVjK6hYDm2rpNeZ/view?usp=sharing https://drive.google.com/file/d/1oFkYWuAwKlSXjCSC_IzTT46TVSe_UK4m/view?usp=sharing

Impact

Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user’s machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.

Occurrences

We are processing your report and will contact the modoboa team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
0ozero0 modified the report
a year ago
We have contacted a member of the modoboa team and are waiting to hear back a year ago
modoboa/modoboa maintainer validated this vulnerability a year ago
0ozero0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
modoboa/modoboa maintainer
a year ago

Here is a fix: https://github.com/modoboa/modoboa/pull/2757

0ozero0
a year ago

Researcher


Hi @maintainer Yes looks fixed

0ozero0
a year ago

Researcher


Hi @maintainer Can you validate this as fixed and move to CVE

modoboa/modoboa maintainer marked this as fixed in 2.0.4 with commit 354ab6 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
domain.py#L2 has been validated
to join this conversation