Description
I noticed, your website is very secure.
But you overlooked a flaw DOM XSS.
Detail:
1 .Login with demo account.
2 .Go to the link: https://demo.modoboa.org/user/#profile/ and click Update
3 .Use burp to block proxy and inject payload in &language:
<img+src=0+onerror=alert(document.cookie)>
Proof of Concept
Video Poc
https://drive.google.com/file/d/1DpThlp36jJ7hcjGzehX4wlof3KsPux8O/view?usp=sharing