Cross-Site Request Forgery (CSRF) in modoboa/modoboa
Description
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-Site Request Forgery in modoboa's remove_permission view allows attackers to remove permissions from authenticated administrators, fixed in version 2.0.4.
CVE-2023-0438 is a Cross-Site Request Forgery (CSRF) vulnerability in the modoboa mail hosting platform, affecting versions prior to 2.0.4. The flaw exists in the remove_permission view, which lacked CSRF protection and did not enforce the HTTP DELETE method, allowing unauthorized actions to be performed on behalf of an authenticated administrator [1][2].
An attacker can exploit this by crafting a malicious link or form that, when visited by an authenticated admin, triggers a permission removal request without the admin's consent. The attack requires no special privileges beyond tricking an admin into interacting with the crafted content, as the vulnerable endpoint accepted GET requests without CSRF tokens [4].
Successful exploitation allows an attacker to remove permissions from domain administrators, potentially disrupting email management and access controls. The impact is limited to permission removal; other administrative functions are not directly affected [2].
The vulnerability was fixed in modoboa version 2.0.4 by enforcing the DELETE HTTP method and adding CSRF protections to the remove_permission view [4]. Users are advised to upgrade to the latest version to mitigate the risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
modoboaPyPI | < 2.0.4 | 2.0.4 |
Affected products
2- modoboa/modoboa/modoboav5Range: unspecified
Patches
138d778cc71e3Force DELETE method for remove permission view.
2 files changed · +12 −1
modoboa/admin/templates/admin/domain_detail.html+11 −1 modified@@ -125,7 +125,7 @@ <h3 class="panel-title"> {% trans "Show key" %} </button> <button data-toggle="modal" class="btn btn-default btn-xs" data-target="#dkim_regenerate_dialog"><span class="fa fa-refresh"></span></button> - + <div class="modal fade" id="dkim_regenerate_dialog" tabindex="-1" role="dialog" aria-labelledby="dkim_regenerate_dialog" aria-hidden="true"> <div class="modal-dialog" role="document"> <div class="modal-content"> @@ -206,6 +206,16 @@ <h5 class="modal-title" id="dkim_regenerate_dialog">{% trans "Warning" %}</h5> window.location.reload(); }); }); + $('a[name="removeperm"]').click(function (evt) { + evt.preventDefault(); + var $this = $(this); + $.ajax({ + url: $this.attr('href'), + method: 'DELETE' + }).done(function () { + window.location.reload(); + }); + }); }); function copy(id) { navigator.clipboard.writeText(document.getElementById(id).textContent);
modoboa/admin/views/identity.py+1 −0 modified@@ -196,6 +196,7 @@ def delaccount(request, pk): @login_required @permission_required("admin.add_domain") +@require_http_methods(["DELETE"]) def remove_permission(request): domid = request.GET.get("domid", None) daid = request.GET.get("daid", None)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9c64-x3cx-vgmmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-0438ghsaADVISORY
- github.com/modoboa/modoboa/commit/38d778cc71e370216e067d054ce0169ad83078c8ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/modoboa/PYSEC-2023-284.yamlghsaWEB
- huntr.dev/bounties/07a5b61b-306d-47c4-8ff0-06c540c7dfb3ghsaWEB
News mentions
0No linked articles in our index yet.