Cross-Site Request Forgery (CSRF) in modoboa/modoboa
Description
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Modoboa prior to 2.0.4 is vulnerable to CSRF allowing unauthorized domain deletion via crafted requests.
Root
Cause
Modoboa, a mail hosting management platform, lacked CSRF protection on the deldomain endpoint. The vulnerable code in modoboa/admin/views/domain.py only required login and delete permission but did not enforce a POST-only restriction or include a CSRF token check. This allowed attackers to craft a request that, when triggered by an authenticated administrator, would delete a domain without the admin's intent [1][4].
Attack
Vector
An attacker can exploit this by tricking an authenticated Modoboa administrator into visiting a malicious page or clicking a link that sends a crafted HTTP request to the deldomain endpoint. No special network position is required; the attack can be performed remotely via social engineering or cross-site scripting if available. The administrator must be currently logged into Modoboa for the CSRF to succeed [2].
Impact
Successful exploitation results in unauthorized deletion of email domains managed by Modoboa, potentially causing disruption of mail services and loss of domain configuration. The attacker does not gain direct access to the system but can cause administrative actions to be performed without consent [1][3].
Mitigation
The fix was introduced in commit 8e14ac93669df4f35fcdebd55dc9d2f0fed3ed48, which adds the @require_http_methods(['POST']) decorator to the deldomain view, ensuring only POST requests are accepted. This change was included in modoboa version 2.0.4. Users are advised to upgrade to this version or later [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
modoboaPyPI | < 2.0.4 | 2.0.4 |
Affected products
2- modoboa/modoboa/modoboav5Range: unspecified
Patches
18e14ac93669dMerge pull request #2752 from modoboa/fix/delete_domain_post
1 file changed · +2 −0
modoboa/admin/views/domain.py+2 −0 modified@@ -16,6 +16,7 @@ from django.utils.translation import ugettext as _, ungettext from django.views import generic from django.views.decorators.csrf import ensure_csrf_cookie +from django.views.decorators.http import require_http_methods from modoboa.core import signals as core_signals from modoboa.lib.exceptions import PermDeniedException @@ -230,6 +231,7 @@ def editdomain(request, dom_id): @login_required @permission_required("admin.delete_domain") +@require_http_methods(["POST"]) def deldomain(request, dom_id): keepdir = request.POST.get("keepdir", "false") == "true" try:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-v9gj-5rgp-w33rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-0398ghsaADVISORY
- github.com/modoboa/modoboa/commit/8e14ac93669df4f35fcdebd55dc9d2f0fed3ed48ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/modoboa/PYSEC-2023-282.yamlghsaWEB
- huntr.dev/bounties/0a852351-00ed-44d2-a650-9055b7beed58ghsaWEB
News mentions
0No linked articles in our index yet.