Miggo Logo

CVE-2019-19702: Modoboa is vulnerable to an XML External Entity Injection (XXE)

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.73457%
Published
5/24/2022
Updated
11/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
modoboa-dmarcpip< 1.2.01.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the XML parsing implementation in import_report. The original code used lxml.objectify.fromstring(), which by default processes external entities. The patch replaced it with defusedxml.ElementTree.fromstring() with forbid_dtd=True, explicitly addressing XXE. The function's role in processing attacker-controlled XML reports (via email attachments) makes it the entry point for exploitation. The code diff and CWE-91/XXE context confirm this is the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** mo*o*o*-*m*r* plu*in *.*.* *or Mo*o*o* is vuln*r**l* to *n XML *xt*rn*l *ntity Inj**tion (XX*) *tt**k w**n pro**ssin* XML **t*. * r*mot* *tt**k*r *oul* *xploit t*is to p*r*orm * **ni*l o* s*rvi** ***inst t** *M*R* r*portin* *un*tion*lity, su** *s

Reasoning

T** vuln*r**ility st*ms *rom t** XML p*rsin* impl*m*nt*tion in import_r*port. T** ori*in*l *o** us** lxml.o*j**ti*y.*romstrin*(), w*i** *y ****ult pro**ss*s *xt*rn*l *ntiti*s. T** p*t** r*pl**** it wit* ***us**xml.*l*m*ntTr**.*romstrin*() wit* *or*i*