modoboa

Valid

Reported on

Feb 18th 2023

Description

Reflected XSS happens when filtering a specific tag in the Domains page and changing the "domfilter" URL query parameter to the malicious string.

Proof of Concept

1 - Login as a domain admin

2 - Go to the Domains page

3 - Click on one of the existing tags

4 - Change the domfilter query parameter value to <script>alert(document.cookie);</script>

5 - Enter and refresh page

Link for PoC: https://drive.google.com/file/d/14vWZiE6b4-l0u57jo-T-mILSz8NiLA-1/view?usp=share_link

Impact

XSS can cause a variety of problems for the end-user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.

We are processing your report and will contact the modoboa team within 24 hours. 9 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 9 months ago

João Oliveira modified the report

9 months ago

João Oliveira modified the report

9 months ago

We have contacted a member of the modoboa team and are waiting to hear back 9 months ago

Antoine Nguyen validated this vulnerability 9 months ago

João Oliveira has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Antoine Nguyen

commented 9 months ago

Maintainer

PR with fix: https://github.com/modoboa/modoboa/pull/2797

João Oliveira

commented 9 months ago

Researcher

Hello @maintainer

Tested in a dev environment with the changes and seems to be fixed. Could you validate as fixed and assign a CVE?

Thank you!

Antoine Nguyen marked this as fixed in 2.0.5 with commit aa74e9 9 months ago

Antoine Nguyen has been awarded the fix bounty

This vulnerability has been assigned a CVE

Antoine Nguyen published this vulnerability 9 months ago

to join this conversation

We are processing your report and will contact the modoboa team within 24 hours. 9 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 9 months ago

João Oliveira modified the report

9 months ago

João Oliveira modified the report

9 months ago

We have contacted a member of the modoboa team and are waiting to hear back 9 months ago

Antoine Nguyen validated this vulnerability 9 months ago

João Oliveira has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Antoine Nguyen

commented 9 months ago

Maintainer

PR with fix: https://github.com/modoboa/modoboa/pull/2797

João Oliveira

commented 9 months ago

Researcher

Hello @maintainer

Tested in a dev environment with the changes and seems to be fixed. Could you validate as fixed and assign a CVE?

Thank you!

Antoine Nguyen marked this as fixed in 2.0.5 with commit aa74e9 9 months ago

Antoine Nguyen has been awarded the fix bounty

This vulnerability has been assigned a CVE

Antoine Nguyen published this vulnerability 9 months ago

to join this conversation