7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-19702

GHSA ID

GHSA-vc42-mgr2-w34r

EPSS Score

0.73457%

CWE

CWE-91

Published

5/24/2022

Updated

11/22/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-19702

CVE-2019-19702: Modoboa is vulnerable to an XML External Entity Injection (XXE)

The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-19702

GHSA ID

GHSA-vc42-mgr2-w34r

EPSS Score

0.73457%

CWE

CWE-91

Published

5/24/2022

Updated

11/22/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
modoboa-dmarc	pip	< 1.2.0	1.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the XML parsing implementation in import_report. The original code used lxml.objectify.fromstring(), which by default processes external entities. The patch replaced it with defusedxml.ElementTree.fromstring() with forbid_dtd=True, explicitly addressing XXE. The function's role in processing attacker-controlled XML reports (via email attachments) makes it the entry point for exploitation. The code diff and CWE-91/XXE context confirm this is the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** mo*o*o*-*m*r* plu*in *.*.* *or Mo*o*o* is vuln*r**l* to *n XML *xt*rn*l *ntity Inj**tion (XX*) *tt**k w**n pro**ssin* XML **t*. * r*mot* *tt**k*r *oul* *xploit t*is to p*r*orm * **ni*l o* s*rvi** ***inst t** *M*R* r*portin* *un*tion*lity, su** *s

Reasoning

T** vuln*r**ility st*ms *rom t** XML p*rsin* impl*m*nt*tion in import_r*port. T** ori*in*l *o** us** lxml.o*j**ti*y.*romstrin*(), w*i** *y ****ult pro**ss*s *xt*rn*l *ntiti*s. T** p*t** r*pl**** it wit* ***us**xml.*l*m*ntTr**.*romstrin*() wit* *or*i*

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-19702: Modoboa is vulnerable to an XML External Entity Injection (XXE)

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI