Modoboa: >> Modoboa >> 0.2 Security Vulnerabilities
Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.
CVSS Score
7.2
EPSS Score
0.001
Published
2026-03-25
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.
CVSS Score
5.3
EPSS Score
0.004
Published
2023-10-20
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
CVSS Score
9.8
EPSS Score
0.002
Published
2023-10-20
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
CVSS Score
7.1
EPSS Score
0.002
Published
2023-10-20
Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.
CVSS Score
9.1
EPSS Score
0.904
Published
2023-04-21
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.1.0.
CVSS Score
6.8
EPSS Score
0.001
Published
2023-04-21
Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-04-18
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
CVSS Score
8.6
EPSS Score
0.76
Published
2023-02-10
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-01-23