VYPR
← All advisories
High severityNVD Advisory· Published Oct 20, 2023· Updated Sep 11, 2024

Cross-site Scripting (XSS) - DOM in modoboa/modoboa

CVE-2023-5689

Description

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Modoboa prior to 2.2.2 contains a DOM-based XSS vulnerability in the profile form handling logic.

Vulnerability

Overview CVE-2023-5689 is a DOM-based Cross-Site Scripting (XSS) vulnerability in Modoboa, a mail hosting management platform, affecting versions prior to 2.2.2. The issue lies in the TwocolsNav component's event handler, which used $("form").first() to select the form for submission. This allowed an attacker to inject a malicious form element that could be processed instead of the legitimate one, leading to arbitrary JavaScript execution [1].

Exploitation

An attacker could exploit this vulnerability by crafting a form with malicious attributes or content that, when the update action is triggered, executes attacker-controlled scripts in the context of the affected user's session. The attack requires some level of access, such as a user with profile editing capabilities, or could be combined with other vectors like clickjacking or social engineering [4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to theft of session cookies, data exfiltration, or further compromise of the modoboa instance [2].

Mitigation

The vulnerability was fixed in commit d33d3cd2, which changed the form selector to use $(e.target).closest("form") to ensure only the intended form is processed. Users should upgrade to Modoboa version 2.2.2 or later to remediate the issue [4].

References
  1. NVD - CVE-2023-5689
  2. advisory-database/vulns/modoboa/PYSEC-2023-216.yaml at main · pypa/advisory-database
  3. Merge pull request #3095 from modoboa/fix/xss_profile_form · modoboa/modoboa@d33d3cd

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
modoboaPyPI
< 2.2.22.2.2

Affected products

2
  • ghsa-coords
    pkg:pypi/modoboa
    Range: < 2.2.2
  • modoboa/modoboa/modoboav5
    Range: unspecified

Patches

1
d33d3cd2d11d

Merge pull request #3095 from modoboa/fix/xss_profile_form

https://github.com/modoboa/modoboaAntoine NguyenOct 19, 2023via ghsa
commit
2 files changed · +3 3
  • modoboa/static/js/twocols_nav.js+1 1 modified
    @@ -30,7 +30,7 @@ TwocolsNav.prototype = {
     listen: function() {
         $("a.ajaxnav").click($.proxy(this.load_section, this));
         $(document).on("click", "#update", $.proxy(function(e) {
-            var $form = $("form").first();
+            var $form = $(e.target).closest("form");
             simple_ajax_form_post(e, {
                 formid: $form.attr("id"),
                 modal: false,
  • modoboa/templates/common/generic_field.html+2 2 modified
    @@ -12,7 +12,7 @@
     {% endif %}
   </label>
   {% endif %}
-  
+
   <div class="{% render_field_width field %}">
     {% if appended_text %}
     <div class="input-group">
@@ -31,7 +31,7 @@
     {% if field.errors %}
     <p class="help-block">
       {% for error in field.errors %}
-      {{ error|safe }}
+      {{ error }}
       {% endfor %}
     </p>
     {% endif %}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.