Cross-site Scripting (XSS) - DOM in modoboa/modoboa
Description
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Modoboa prior to 2.2.2 contains a DOM-based Cross-Site Scripting (XSS) vulnerability in a profile form that can be exploited without authentication.
Vulnerability
Description
CVE-2023-5688 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the Modoboa mail hosting management platform. The flaw resides in the profile form's JavaScript code, specifically in how the $form variable is assigned. Prior to version 2.2.2, the code used $("form").first() to select a form element, which could incorrectly select an attacker-controlled form or element, leading to potential execution of malicious scripts [1][4].
Exploitation
The vulnerability is triggered via the profile form, where an attacker can inject malicious JavaScript payloads. Since the XSS is DOM-based, the attack does not require the victim to visit a malicious page but can occur through crafted inputs that modify the DOM environment. The exploit requires user interaction, such as clicking on a malicious link or submitting a crafted form, but no prior authentication is necessary to deliver the payload [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data theft (including access tokens and sensitive information), and potential full compromise of the user's Modoboa session. The issue affects all users of Modoboa versions before 2.2.2 [1][2].
Mitigation
The vulnerability has been patched in Modoboa version 2.2.2. The fix, introduced in commit d33d3cd2d11dbfebd8162c46e2c2a9873919a967, changes the form selector from $("form").first() to $(e.target).closest("form"), ensuring the correct form is used and preventing the XSS condition [4]. Users are strongly advised to upgrade to the latest version. No workarounds have been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
modoboaPyPI | < 2.2.2 | 2.2.2 |
Affected products
2- modoboa/modoboa/modoboav5Range: unspecified
Patches
1d33d3cd2d11dMerge pull request #3095 from modoboa/fix/xss_profile_form
2 files changed · +3 −3
modoboa/static/js/twocols_nav.js+1 −1 modified@@ -30,7 +30,7 @@ TwocolsNav.prototype = { listen: function() { $("a.ajaxnav").click($.proxy(this.load_section, this)); $(document).on("click", "#update", $.proxy(function(e) { - var $form = $("form").first(); + var $form = $(e.target).closest("form"); simple_ajax_form_post(e, { formid: $form.attr("id"), modal: false,
modoboa/templates/common/generic_field.html+2 −2 modified@@ -12,7 +12,7 @@ {% endif %} </label> {% endif %} - + <div class="{% render_field_width field %}"> {% if appended_text %} <div class="input-group"> @@ -31,7 +31,7 @@ {% if field.errors %} <p class="help-block"> {% for error in field.errors %} - {{ error|safe }} + {{ error }} {% endfor %} </p> {% endif %}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pqgm-9g82-wcm7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-5688ghsaADVISORY
- github.com/modoboa/modoboa/commit/d33d3cd2d11dbfebd8162c46e2c2a9873919a967ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/modoboa/PYSEC-2023-215.yamlghsaWEB
- huntr.com/bounties/0ceb10e4-952b-4ca4-baf8-5b6f12e3a8a7ghsaWEB
News mentions
0No linked articles in our index yet.