VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 18, 2023· Updated Feb 5, 2025

Weak Password Requirements in modoboa/modoboa

CVE-2023-2160

Description

Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Modoboa prior to 2.1.0 had weak password requirements, allowing users to set insecure passwords during password updates.

Root

Cause CVE-2023-2160 identifies a missing validation of new password requirements in the Modoboa mail hosting platform prior to version 2.1.0. During password updates, the application failed to enforce password strength checks, such as minimum length or complexity requirements, allowing users to set weak passwords [1][2].

Exploitation

An authenticated user could exploit this by submitting a password update request with a weak new password (e.g., short or common passwords) without triggering validation errors. The attack requires a valid account on the Modoboa instance and network access to the user profile endpoint [4].

Impact

Successful exploitation results in users having weak passwords, increasing the risk of account compromise via brute-force attacks, credential stuffing, or password guessing [1].

Mitigation

The issue was fixed in Modoboa version 2.1.0, released after April 2023. The fix adds proper validation for the new password field, requiring confirmation and rejecting empty or weak passwords [4]. Users should upgrade to the latest version to enforce strong password policies.

References
  1. NVD - CVE-2023-2160
  2. advisory-database/vulns/modoboa/PYSEC-2023-34.yaml at main · pypa/advisory-database
  3. Fixed security issue with password update. · modoboa/modoboa@130257c

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
modoboaPyPI
< 2.1.02.1.0

Affected products

2
  • ghsa-coords
    pkg:pypi/modoboa
    Range: < 2.1.0
  • modoboa/modoboa/modoboav5
    Range: unspecified

Patches

1
130257c96a23

Fixed security issue with password update.

https://github.com/modoboa/modoboaAntoine NguyenApr 14, 2023via ghsa
commit
2 files changed · +12 0
  • modoboa/core/forms.py+5 0 modified
    @@ -92,6 +92,11 @@ def clean(self):
                         confirmation, self.instance)
             else:
                 self.add_error("oldpassword", _("This field is required."))
+        elif newpassword or confirmation:
+            if not confirmation:
+                self.add_error("confirmation", _("This field is required."))
+            else:
+                self.add_error("newpassword", _("This field is required."))
         return self.cleaned_data
 
     def save(self, commit=True):
  • modoboa/core/tests/test_core.py+7 0 modified
    @@ -146,6 +146,13 @@ def test_update_password(self):
             self.client.login(username="user@test.com", password="toto"), True
         )
 
+        self.ajax_post(
+            reverse("core:user_profile"),
+            {"oldpassword": "toto",
+             "confirmation": "tutu"},
+            status=400
+        )
+
         self.ajax_post(
             reverse("core:user_profile"),
             {"oldpassword": "toto",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.