VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 22, 2023· Updated Mar 12, 2025

Cross-site Scripting (XSS) - Reflected in modoboa/modoboa

CVE-2023-0949

Description

Cross-site Scripting (XSS) - Reflected in GitHub repository modoboa/modoboa prior to 2.0.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS vulnerability in Modoboa before 2.0.5 allows attackers to inject arbitrary web scripts via a tag-related parameter.

A reflected cross-site scripting (XSS) vulnerability exists in Modoboa versions prior to 2.0.5. The flaw arises from insufficient sanitization of user-supplied input in tag-related functionality, allowing an attacker to inject arbitrary JavaScript code into a web page [2]. The vulnerability is classified as a reflected XSS, meaning the malicious payload is reflected off the web application immediately, typically via a crafted URL or request parameter.

To exploit this vulnerability, an attacker crafts a URL containing a malicious script and tricks a victim into clicking it. The victim must be logged into the Modoboa application for the attacker to gain session access, but the XSS can also execute without authentication, potentially exposing sensitive information. The attack requires no special privileges other than the ability to deliver the malicious link to a user [2][3].

Successful exploitation allows the attacker to execute arbitrary script in the context of the victim's browser within the Modoboa domain. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites, compromising user accounts and data confidentiality.

The issue has been addressed in Modoboa version 2.0.5 with a commit that properly escapes tag input [1][3]. Users are strongly advised to upgrade to the latest version to mitigate the risk. No workarounds are known, and the vulnerability is considered important given Modoboa's use as a mail hosting platform [4].

References
  1. Merge pull request #2797 from modoboa/fix/xss_issue_with_tags · modoboa/modoboa@aa74e9a
  2. NVD - CVE-2023-0949
  3. advisory-database/vulns/modoboa/PYSEC-2023-33.yaml at main · pypa/advisory-database
  4. GitHub - modoboa/modoboa: Mail hosting made simple

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
modoboaPyPI
< 2.0.52.0.5

Affected products

2
  • ghsa-coords
    pkg:pypi/modoboa
    Range: < 2.0.5
  • modoboa/modoboa/modoboav5
    Range: unspecified

Patches

1
aa74e9a4a870

Merge pull request #2797 from modoboa/fix/xss_issue_with_tags

https://github.com/modoboa/modoboaAntoine NguyenFeb 22, 2023via ghsa
commit
1 file changed · +2 2
  • modoboa/static/js/listing.js+2 2 modified
    @@ -255,9 +255,9 @@ Listing.prototype = {
     make_tag: function(text, type) {
         var $tag = $("<a />", {
             "name": type, "class" : "btn btn-default btn-xs",
-            "html": " " + text
+            "html": " " + htmlEncode(text)
         });
-        
+
         $("<span />", {"class" : "fa fa-remove"}).prependTo($tag);
         $tag.click($.proxy(this.remove_tag, this));
         return $tag;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.