Miggo Logo
Miggo Vulnerability Database
CVE-2023-5689

CVE-2023-5689: modoboa Cross-site Scripting vulnerability

7.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-5689
GHSA ID
GHSA-9wj3-cfq8-wpvj
EPSS Score
0.35251%
CWE
CWE-79
Published
10/20/2023
Updated
10/1/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
modoboapip< 2.2.22.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability stems from the use of the '|safe' filter in Django template error rendering, which disabled automatic HTML escaping. This allowed XSS if error messages contained user-controlled input. The patch removed the '|safe' filter (changing to {{ error }}), enabling proper auto-escaping. The JavaScript modification in twocols_nav.js appears to be a secondary fix for form targeting but doesn't directly enable XSS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - *OM in *it*u* r*pository mo*o*o*/mo*o*o* prior to *.*.*.

Reasoning

T** k*y vuln*r**ility st*ms *rom t** us* o* t** '|s***' *ilt*r in *j*n*o t*mpl*t* *rror r*n**rin*, w*i** *is**l** *utom*ti* *TML *s**pin*. T*is *llow** XSS i* *rror m*ss***s *ont*in** us*r-*ontroll** input. T** p*t** r*mov** t** '|s***' *ilt*r (***n*