VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 26, 2023· Updated Mar 31, 2025

Cross-site Scripting (XSS) - Stored in modoboa/modoboa

CVE-2023-0470

Description

Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Modoboa prior to 2.0.4 allows attackers to inject arbitrary JavaScript via domain name or title attributes.

Vulnerability

Overview

CVE-2023-0470 is a stored cross-site scripting (XSS) vulnerability in Modoboa, a mail hosting and management platform, affecting versions prior to 2.0.4. The root cause is insufficient sanitization of user-controlled input when rendering domain names and title attributes in the administration interface. Specifically, the Domains JavaScript prototype directly inserted the title attribute of a delete confirmation link and the domain name into the DOM without HTML encoding [1][3].

Exploitation

Prerequisites

An attacker with the ability to create or modify domains (e.g., a domain administrator) can inject malicious JavaScript into the domain name field or the title attribute. When other administrators or users interact with the affected interface—such as hovering over a delete link or viewing domain details—the injected script executes in their browser session. No additional authentication is required beyond the attacker's existing privileges to manage domains [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or other actions that the victim can perform within the Modoboa administration panel. The stored nature of the XSS means the payload persists and affects all subsequent visitors to the affected page [1][2].

Mitigation

The vulnerability was fixed in Modoboa version 2.0.4 by introducing an htmlEncode function and applying it to the two vulnerable code paths: the delete confirmation title and the domain name display [3]. Users are strongly advised to upgrade to 2.0.4 or later. No workarounds have been published, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. NVD - CVE-2023-0470
  2. advisory-database/vulns/modoboa/PYSEC-2023-30.yaml at main · pypa/advisory-database
  3. Merge pull request #2757 from modoboa/fix/xss_issue_domain_form · modoboa/modoboa@354ab68

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
modoboaPyPI
< 2.0.42.0.4

Affected products

2
  • ghsa-coords
    pkg:pypi/modoboa
    Range: < 2.0.4
  • modoboa/modoboa/modoboav5
    Range: unspecified

Patches

1
354ab6884019

Merge pull request #2757 from modoboa/fix/xss_issue_domain_form

https://github.com/modoboa/modoboaAntoine NguyenJan 24, 2023via ghsa
commit
3 files changed · +16 7
  • modoboa/admin/static/admin/js/admin.js+2 2 modified
    @@ -152,7 +152,7 @@ Domains.prototype = {
             : gettext("This operation will remove all data associated to this domain, excepting accounts.");
 
         $("a[name=deldomain]").confirm({
-            question: function() { return this.$element.attr('title'); },
+            question: function() { return htmlEncode(this.$element.attr('title')); },
             method: "POST",
             warning: warnmsg,
             checkboxes: deloptions,
@@ -295,7 +295,7 @@ Domains.prototype = {
 
     optionsform_prefill: function() {
         var $span = $("#id_dom_admin_username").next("span");
-        $span.html("@" + $("#id_name").val());
+        $span.html("@" + htmlEncode($("#id_name").val()));
     },
 
     domadminsform_init: function() {
  • modoboa/admin/templates/admin/domains.html+5 5 modified
    @@ -13,11 +13,11 @@
   {{ block.super }}
   <script src="{% static 'transport/js/transport.js' %}" type="text/javascript"></script>
   <script type="text/javascript">
-   $(document).ready(function() {
-       admin = new Domains({
-           load_page_url: "{% url 'admin:domain_page' %}"
-       });
-   });
+  $(document).ready(function() {
+      admin = new Domains({
+          load_page_url: "{% url 'admin:domain_page' %}"
+      });
+  });
   </script>
 {% extra_static_content "domains" "js" user %}
 {% endblock %}
  • modoboa/static/js/global.js+9 0 modified
    @@ -361,6 +361,15 @@ String.prototype.format = function() {
     });
 };
 
+/**
+ * Simple HTML escape function
+ */
+function htmlEncode(str) {
+    return String(str).replace(/[^\w. ]/gi, function(c) {
+        return '&#'+c.charCodeAt(0)+';';
+    });
+}
+
 $(document).ready(function() {
     $(document).ajaxSuccess(function(e, xhr, settings) { ajax_login_redirect(xhr); });
     $(document).ajaxError(defaultAjaxErrorHandler);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.