Miggo Logo
Miggo Vulnerability Database
CVE-2023-2160

CVE-2023-2160: Modoboa has Weak Password Requirements

6.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-2160
GHSA ID
GHSA-9gxx-32p7-ff7m
EPSS Score
0.17453%
CWE
CWE-521
Published
4/18/2023
Updated
9/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
modoboapip<= 2.0.52.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient validation in the password update process. The commit diff shows that the fix added server-side checks in the clean() method to require both 'newpassword' and 'confirmation' fields when either is present. Prior to this fix, the absence of these checks could allow partial submissions (e.g., providing a weak password without confirmation), potentially bypassing password strength enforcement. While the diff does not explicitly show password complexity checks, the CWE-521 classification and vulnerability description indicate that weak passwords were accepted, implying the validation logic in this function was incomplete or improperly enforced.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mo*o*o* *.*.* *n* prior *llows us*rs to s*t uns*** p*sswor*s, su** *s `*` or `***K`. T*is issu* is *ix** in *ommit **************************************** *n* is p*rt o* v*rsion *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt `v*li**tion` in t** p*sswor* up**t* `pro**ss`. T** *ommit *i** s*ows t**t t** *ix ***** s*rv*r-si** ****ks in t** `*l**n()` m*t*o* to r*quir* *ot* 'n*wp*sswor*' *n* '*on*irm*tion' *i*l*s w**n *it**r is pr*s*n