Cross-site Scripting (XSS) - Stored in modoboa/modoboa
Description
Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Modoboa prior to 2.0.4 allowed attackers to inject arbitrary JavaScript via account names and log messages.
Vulnerability
CVE-2023-0519 is a stored cross-site scripting (XSS) vulnerability in Modoboa, an open-source mail hosting and management platform [3]. The flaw existed in versions prior to 2.0.4 and stemmed from insufficient sanitization of user-controlled input when rendering account names in deletion confirmation dialogs and log entries in the admin interface [1][4].
Exploitation
An attacker with the ability to create or modify account identities could inject malicious JavaScript into the account title field. When an administrator attempted to delete that account, the injected script would be rendered by the browser, executing in the context of the admin session [4]. Additionally, unescaped log messages containing attacker-controlled content could trigger XSS when viewed in the logs panel [4]. No authentication was required to trigger the XSS if the attacker could influence the logged data, though exploitation typically required an authenticated admin user to interact with the vulnerable UI elements.
Impact
Successful exploitation allowed an attacker to execute arbitrary JavaScript in the browser of an authenticated Modoboa administrator. This could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim administrator within the mail hosting platform [1].
Mitigation
The vulnerability was fixed in Modoboa version 2.0.4 by applying HTML encoding to account names and log messages before rendering them in the browser [4]. Users are strongly advised to upgrade to 2.0.4 or later. There is no evidence of this CVE being listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of this writing.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
modoboaPyPI | < 2.0.4 | 2.0.4 |
Affected products
2- modoboa/modoboa/modoboav5Range: unspecified
Patches
1eef9ab72b530Avoid XSS issues while deleting account and looking at logs.
3 files changed · +3 −3
modoboa/admin/static/admin/js/admin.js+1 −1 modified@@ -408,7 +408,7 @@ Identities.prototype = { } $("a[name=delaccount]").confirm({ - question: function() { return this.$element.attr('title'); }, + question: function() { return htmlEncode(this.$element.attr('title')); }, method: "POST", checkboxes: deloptions, success_cb: $.proxy(this.reload_listing, this)
modoboa/core/templates/core/logs_page.html+1 −1 modified@@ -5,6 +5,6 @@ <td>{{ l.date_created|date:"SHORT_DATETIME_FORMAT" }}</td> <td>{{ l.level|colorize_level|safe }}</td> <td>{{ l.logger }}</td> - <td>{{ l.message|tohtml|safe }}</td> + <td>{{ l.message }}</td> </tr> {% endfor %}
modoboa/static/js/autocompleter.js+1 −1 modified@@ -56,7 +56,7 @@ $.each(this.choices, $.proxy(function(index, value) { if (exp.test(value)) { this.$menu.append( - $('<li><a href="#" name="' + value + '">' + value + '</a></li>') + $('<li><a href="#" name="' + htmlEncode(value) + '">' + htmlEncode(value) + '</a></li>') ); } }, this));
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-jm3m-wr3p-hjrqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-0519ghsaADVISORY
- github.com/modoboa/modoboa/commit/eef9ab72b5305578a3ad7a7463bd284aa645e98bghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/modoboa/PYSEC-2023-31.yamlghsaWEB
- huntr.dev/bounties/891ad0cb-d12f-4c5e-aac8-d7326caf2129ghsaWEB
News mentions
0No linked articles in our index yet.