VYPR
← All advisories
Critical severityNVD Advisory· Published Apr 21, 2023· Updated Feb 4, 2025

Improper Authorization in modoboa/modoboa

CVE-2023-2227

Description

Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper authorization in Modoboa prior to 2.1.0 allows unauthorized access to sensitive component information via missing permission checks on API endpoints.

Vulnerability

Description CVE-2023-2227 is an improper authorization vulnerability in the Modoboa mail hosting platform prior to version 2.1.0. The issue stems from missing permission checks on certain API endpoints, specifically the ComponentsInformationAPIView that provides information about installed components. The endpoint lacked the required IsSuperUser permission, allowing any user to access it.

Exploitation

An attacker can exploit this vulnerability by making a request to the vulnerable API endpoint. No special privileges are required; any authenticated user, or potentially even unauthenticated users if no authentication is enforced, can retrieve a list of installed extensions and their versions. The fix, as seen in commit [4], adds both IsAuthenticated and IsSuperUser permission classes to restrict access.

Impact

Successful exploitation allows an attacker to enumerate the enabled extensions on a Modoboa instance. This information can be used to identify vulnerable or misconfigured components, aiding in further attacks against the system.

Mitigation

The vulnerability is patched in Modoboa version 2.1.0 [1][2]. Users are strongly advised to upgrade to this version or later. No workarounds are documented; updating is the recommended action.

References
  1. NVD - CVE-2023-2227
  2. advisory-database/vulns/modoboa/PYSEC-2023-35.yaml at main · pypa/advisory-database
  3. Added missing permissions on API endpoints · modoboa/modoboa@7bcd3f6

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
modoboaPyPI
< 2.1.02.1.0

Affected products

2
  • ghsa-coords
    pkg:pypi/modoboa
    Range: < 2.1.0
  • modoboa/modoboa/modoboav5
    Range: unspecified

Patches

1
7bcd3f6eb264

Added missing permissions on API endpoints

https://github.com/modoboa/modoboaAntoine NguyenFeb 27, 2023via ghsa
commit
4 files changed · +19 4
  • modoboa/admin/api/v1/viewsets.py+0 1 modified
    @@ -93,7 +93,6 @@ def get_throttles(self):
         throttles = super().get_throttles()
         if self.action == "reset_password":
             throttles.append(PasswordResetRequestThrottle())
-        
         return throttles
 
     def get_serializer_class(self):
  • modoboa/core/api/v2/views.py+7 2 modified
    @@ -9,15 +9,19 @@
 from django.contrib.auth import login
 
 from drf_spectacular.utils import extend_schema
-from rest_framework import response, status
+from rest_framework import permissions, response, status
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework_simplejwt import views as jwt_views
 from rest_framework_simplejwt.exceptions import InvalidToken
 from rest_framework.views import APIView
 
 from modoboa.core.password_hashers import get_password_hasher
 from modoboa.core.utils import check_for_updates
-from modoboa.lib.throttle import UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle, PasswordResetRequestThrottle, PasswordResetTotpThrottle
+from modoboa.lib.permissions import IsSuperUser
+from modoboa.lib.throttle import (
+    UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle,
+    PasswordResetRequestThrottle, PasswordResetTotpThrottle
+)
 from modoboa.parameters import tools as param_tools
 
 from smtplib import SMTPException
@@ -192,6 +196,7 @@ def post(self, request, *args, **kwargs):
 class ComponentsInformationAPIView(APIView):
     """Retrieve information about installed components."""
 
+    permission_classes = [permissions.IsAuthenticated, IsSuperUser]
     throttle_classes = [UserLesserDdosUser]
 
     @extend_schema(responses=serializers.ModoboaComponentSerializer(many=True))
  • modoboa/lib/permissions.py+9 0 modified
    @@ -3,6 +3,8 @@
 from django.contrib.auth.models import Group, Permission
 from django.contrib.contenttypes.models import ContentType
 
+from rest_framework import permissions
+
 from modoboa.core import constants as core_constants, signals as core_signals
 from modoboa.core.models import ObjectAccess, User
 
@@ -150,3 +152,10 @@ def add_permissions_to_group(group, permissions):
         group.permissions.add(
             Permission.objects.get(content_type=ct, codename=permname)
         )
+
+
+class IsSuperUser(permissions.BasePermission):
+    """Permission class to allow only super users."""
+
+    def has_permission(self, request, view):
+        return request.user.is_superuser
  • modoboa/parameters/api/v2/viewsets.py+3 1 modified
    @@ -1,9 +1,10 @@
 """Parameters viewsets."""
 
 from drf_spectacular.utils import extend_schema, OpenApiParameter
-from rest_framework import response, viewsets
+from rest_framework import permissions, response, viewsets
 from rest_framework.decorators import action
 
+from modoboa.lib.permissions import IsSuperUser
 from modoboa.lib.throttle import GetThrottleViewsetMixin
 
 from . import serializers
@@ -14,6 +15,7 @@ class ParametersViewSet(GetThrottleViewsetMixin, viewsets.ViewSet):
     """Parameter viewset."""
 
     lookup_value_regex = r"\w+"
+    permission_classes = [permissions.IsAuthenticated, IsSuperUser]
     serializer_class = None
 
     @extend_schema(responses=serializers.ApplicationSerializer(many=True))

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.