Cross-Site Request Forgery (CSRF) in modoboa/modoboa
Description
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Modoboa prior to 2.1.0 lacks CSRF protections on domain and account edit operations, allowing attackers to perform unauthorized state-changing requests.
Vulnerability
Overview
CVE-2023-2228 describes a Cross-Site Request Forgery (CSRF) vulnerability in Modoboa, an open-source mail hosting management platform. The root cause is that certain edit operations—specifically those for modifying domains and accounts—were not protected by CSRF tokens or method enforcement. The commit that fixes this issue adds @require_http_methods(["POST"]) decorators to the editdomain and editaccount view functions, indicating that previously these endpoints accepted GET requests, which is a common vector for CSRF attacks [1][4].
Exploitation
An attacker can craft a malicious web page or email that, when visited by an authenticated Modoboa administrator, triggers a GET request (or a crafted POST) to one of the vulnerable endpoints. No special privileges beyond the victim's admin session are required. The exploit does not require any user interaction beyond the victim clicking a link or loading a page while authenticated to Modoboa [2].
Impact
Successful exploitation could allow an attacker to perform unauthorized modifications to domain or account settings, potentially leading to privilege escalation, data tampering, or disruption of email services. For example, an attacker could change a domain's configuration or modify user account permissions without consent [3].
Mitigation
The vulnerability is fixed in Modoboa version 2.1.0. All users should upgrade to this version or later. No workarounds are documented; the fix involves restricting the HTTP methods allowed on the vulnerable endpoints [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
modoboaPyPI | < 2.1.0 | 2.1.0 |
Affected products
2- modoboa/modoboa/modoboav5Range: unspecified
Patches
15d886f3d0637Fixed CSRF issues in edit operations.
2 files changed · +2 −0
modoboa/admin/views/domain.py+1 −0 modified@@ -214,6 +214,7 @@ def newdomain(request): @login_required @permission_required("admin.view_domain") +@require_http_methods(["POST"]) @reversion.create_revision() def editdomain(request, dom_id): """Edit domain view."""
modoboa/admin/views/identity.py+1 −0 modified@@ -167,6 +167,7 @@ def newaccount(request): @login_required @permission_required("core.change_user") +@require_http_methods(["POST"]) @reversion.create_revision() def editaccount(request, pk): account = User.objects.get(pk=pk)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-6pvf-cq4f-hfjpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-2228ghsaADVISORY
- github.com/modoboa/modoboa/commit/5d886f3d06373d2c3292911bac0772bcd5102343ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/modoboa/PYSEC-2023-36.yamlghsaWEB
- huntr.dev/bounties/619fb490-69ad-4a2a-b686-4c42a62404a9ghsaWEB
News mentions
0No linked articles in our index yet.