Modoboa is vulnerable to an XML External Entity Injection (XXE)
High severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Nov 22, 2024
Description
Published by the National Vulnerability Database
Dec 10, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Apr 29, 2024
Last updated
Nov 22, 2024
The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain.
References