Lucene search
K

275 matches found

Nuclei
Nuclei
added yesterday59 views

modoboa 2.0.4 - Admin TakeOver

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4. id: CVE-2023-0777 info: name: modoboa 2.0.4 - Admin TakeOver author: r3Y3r53 severity: critical description: | Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to...

9.8CVSS7AI score0.15088EPSS
Exploits4References4
Nuclei
Nuclei
added 2 days ago78 views

Modoboa < 2.1.0 - Improper Authorization

Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0. id: CVE-2023-2227 info: name: Modoboa 2.1.0 - Improper Authorization author: ritikchaddha,princechaddha severity: critical description: | Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0. impact:...

9.1CVSS7AI score0.43756EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/29 7:29 p.m.6 views

Authorization Bypass Through User-Controlled Key

Overview modoboa is a Mail hosting made simple Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the PUT /api/v1/accounts/pk/password/ endpoint. An attacker can gain unauthorized access to privileged accounts by bypassing object-level access...

7.7CVSS5.8AI score0.00265EPSS
Exploits0References2
NVD
NVD
added 2026/06/29 6:16 p.m.11 views

CVE-2026-56780

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/pk/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin...

7.7CVSS0.00265EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/29 5:14 p.m.34 views

CVE-2026-56780 Modoboa < 2.9.0 - Insecure Direct Object Reference in Account Password Change API

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/pk/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin...

7.7CVSS0.00265EPSS
Exploits0References3
CVE
CVE
added 2026/06/29 5:14 p.m.12 views

CVE-2026-56780

Modoboa prior to version 2.9.0 contains an insecure direct object reference in the PUT /api/v1/accounts/{pk}/password/ API. This flaw allows domain administrators to bypass object‑level access controls and change any user’s password, enabling full account takeover by resetting superadmin password...

7.7CVSS5.8AI score0.00265EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 5:14 p.m.1 views

CVE-2026-56780 Modoboa < 2.9.0 - Insecure Direct Object Reference in Account Password Change API

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/pk/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin...

7.7CVSS6AI score0.00265EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/03/26 11:3 p.m.4 views

CVE-2026-27602

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...

7.2CVSS6AI score0.00566EPSS
Exploits1References1
NVD
NVD
added 2026/03/25 7:16 p.m.5 views

CVE-2026-27602

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...

7.2CVSS0.00566EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/25 6:49 p.m.22 views

CVE-2026-27602 Modoboa has an OS Command Injection

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...

7.2CVSS0.00566EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/25 6:49 p.m.3 views

CVE-2026-27602 Modoboa has an OS Command Injection

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...

7.2CVSS5.9AI score0.00566EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/25 6:49 p.m.2 views

CVE-2026-27602

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...

7.2CVSS5.9AI score0.00566EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/03/25 6:49 p.m.22 views

CVE-2026-27602

Modoboa contains an OS command injection vulnerability (CWE-like) due to exec_cmd paths using subprocess with shell=True and unsanitized domain/input values. In modoboa/lib/sysutils.py and related sinks (DKIM domain handling, mailbox rename, sa-learn, doveadm, rrdtool, webmail operations), domain...

7.2CVSS5.9AI score0.00566EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/25 6:49 p.m.5 views

CVE-2026-27602 Modoboa has an OS Command Injection

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...

7.2CVSS6AI score0.00566EPSS
Exploits1References5
vulnersOsv
vulnersOsv
added 2026/03/25 5:3 p.m.6 views

modoboa-automua (=1.0.0), modoboa-contacts (>=0.8.0 <=0.9.3) +1 more potentially affected by CVE-2026-27602 via modoboa (>=1.17.0 <=2.3.6)

modoboa PYPI version =1.17.0, =0.8.0, =1.4.0, =1.6.3 Source cves: CVE-2026-27602 Source advisory: OSV:GHSA-WWV8-CQPR-VX3M...

7.2CVSS5.4AI score0.00566EPSS
Exploits1
Snyk
Snyk
added 2026/03/25 5:3 p.m.3 views

Command Injection

Overview modoboa is a Mail hosting made simple Affected versions of this package are vulnerable to Command Injection via the execcmd function. An attacker who has Reseller or SuperAdmin privileges can execute arbitrary operating system commands by supplying specially crafted input, such as domain...

8.6CVSS6.1AI score0.00566EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2026/03/25 5:3 p.m.8 views

modoboa-contacts (>=0.8.0 <=0.9.3), modoboa-radicale (>=1.4.0 <=1.6.3) potentially affected by CVE-2026-27602 via modoboa (=2.3.6)

modoboa PYPI version =2.3.6 is affected by a known vulnerability. The following packages have a transitive dependency on modoboa and may be impacted: - modoboa-contacts =0.8.0, =1.4.0, =1.6.3 Source cves: CVE-2026-27602 Source advisory: SNYK:PYTHON-MODOBOA-15766702...

7.2CVSS5.8AI score0.00566EPSS
Exploits1
EUVD
EUVD
added 2026/03/25 5:3 p.m.6 views

EUVD-2026-15951

Modoboa has OS Command Injection...

7.2CVSS5.8AI score0.00566EPSS
Exploits1References3
OSV
OSV
added 2026/03/25 5:3 p.m.5 views

GHSA-WWV8-CQPR-VX3M Modoboa has OS Command Injection

Summary execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server...

7.2CVSS6.1AI score0.00566EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/03/25 5:3 p.m.17 views

Modoboa has OS Command Injection

Summary execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server...

7.2CVSS6.1AI score0.00566EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder