Stored/Reflected XSS when add new domain in modoboa/modoboa


Reported on

Jan 20th 2023

#Description there is an XSS vulnerability that malicious script is injected directly in list of domain

Proof of Concept

1//go to admin/domains/
2/ click add to add a new domain
3/ in name section add this payload "><img src/onerror=prompt(8)> and you can see payload executed



Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user’s machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.


We are processing your report and will contact the modoboa team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
0ozero0 modified the report
a year ago
We have contacted a member of the modoboa team and are waiting to hear back a year ago
modoboa/modoboa maintainer validated this vulnerability a year ago
0ozero0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
modoboa/modoboa maintainer
a year ago

Here is a fix:

a year ago


Hi @maintainer Yes looks fixed

a year ago


Hi @maintainer Can you validate this as fixed and move to CVE

modoboa/modoboa maintainer marked this as fixed in 2.0.4 with commit 354ab6 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago has been validated
to join this conversation