Miggo Logo
Miggo Vulnerability Database
CVE-2023-0949

CVE-2023-0949: modoboa Cross-site Scripting vulnerability

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0949
GHSA ID
GHSA-mgmm-cmhj-2h5f
EPSS Score
0.30569%
CWE
CWE-79
Published
2/22/2023
Updated
9/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
modoboapip< 2.0.52.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was patched by adding htmlEncode() to sanitize the 'text' parameter in the make_tag function. The commit diff shows the vulnerable code used "html": " " + text without encoding, while the fix uses "html": " " + htmlEncode(text). This function handles tag creation in the UI, making it the clear XSS vector when rendering user-controlled input without proper sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - R**l**t** in *it*u* r*pository mo*o*o*/mo*o*o* prior to *.*.**.

Reasoning

T** vuln*r**ility w*s p*t**** *y ***in* `*tml*n*o**()` to s*nitiz* t** 't*xt' p*r*m*t*r in t** `m*k*_t**` *un*tion. T** *ommit *i** s*ows t** vuln*r**l* *o** us** "*tml": " " + t*xt wit*out *n*o*in*, w*il* t** *ix us*s "*tml": " " + `*tml*n*o**`(t*xt