Headline
CVE-2023-5688: DOM XSS in https://demo.modoboa.org/user/#profile/ in modoboa
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
Description
I noticed, your website is very secure.
But you overlooked a flaw DOM XSS.
Detail:
1 .Login with demo account.
2 .Go to the link: https://demo.modoboa.org/user/#profile/ and click Update
3 .Use burp to block proxy and inject payload in &language:
<img+src=0+onerror=alert(document.cookie)>
Proof of Concept
Video Poc
https://drive.google.com/file/d/1DpThlp36jJ7hcjGzehX4wlof3KsPux8O/view?usp=sharing
Impact
This security vulnerability has the potential to steal multiple users’ cookies, gain unauthorized access to that user’s account through stolen cookies, or redirect the user to other malicious websites…
Related news
GHSA-pqgm-9g82-wcm7: modoboa Cross-site Scripting vulnerability
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.