Xss in compose mail functionaility in modoboa/modoboa-webmail


Reported on

Feb 1st 2023


Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Proof of Concept

  • Step1: login as normal user.
  • step2: click on webmail and click on compose.
  • step3: now enter "<svg/onload=alert(document.domain)"@demo.local, try this payload also "><img src=x onerror=alert(document.domain)>

Now the web page render the js and we can see the popup in the browser.

POC: https://drive.google.com/file/d/1epB5BJSRG_VkdmO7KQjAZbHeWxX9kxA_/view?usp=share_link


XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.

We are processing your report and will contact the modoboa/modoboa-webmail team within 24 hours. 10 months ago
Antoine Nguyen validated this vulnerability 10 months ago
r0b0t-0ne has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Antoine Nguyen
10 months ago


Here is the PR that fixes this issue: https://github.com/modoboa/modoboa-webmail/pull/242

10 months ago


@admin can you please assign cve for this report.

Ben Harvie
10 months ago


CVE assignment is in the hands of the maintainer, please refrain from tagging admins for this request. Thanks:)

Antoine Nguyen marked this as fixed in 1.7.1 with commit 599c93 10 months ago
Antoine Nguyen has been awarded the fix bounty
This vulnerability will not receive a CVE
Antoine Nguyen published this vulnerability 10 months ago
to join this conversation