exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.
modoboa prior to 2.1.0 is vulnerable to cross-site request forgery. An attacker must be logged in as admin to exploit this issue.
In modoboa prior to 2.1.0, sending a GET request to the endpoint /api/v2/parameters/core/ returns sensitive information without any authentication or authorization.
Modoboa 2.0.5 and prior allows users to set unsafe passwords, such as 1 or HACK. This issue is fixed in commit 130257c96a2392ada795785a91178e656e27015c and is part of version 2.1.0.
Cross-site Scripting (XSS) - Reflected in GitHub repository modoboa/modoboa prior to 2.0.45.
Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4.
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.
Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.
Modoboa 2.0.3 and prior is vulnerable to Cross-Site Request Forgery. A patch is available and anticipated to be part of version 2.0.4.
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.