Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-0398: Merge pull request #2752 from modoboa/fix/delete_domain_post · modoboa/modoboa@8e14ac9

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

CVE
#csrf#git

@@ -16,6 +16,7 @@

from django.utils.translation import ugettext as _, ungettext

from django.views import generic

from django.views.decorators.csrf import ensure_csrf_cookie

from django.views.decorators.http import require_http_methods

from modoboa.core import signals as core_signals

from modoboa.lib.exceptions import PermDeniedException

@@ -230,6 +231,7 @@ def editdomain(request, dom_id):

@login_required

@permission_required(“admin.delete_domain”)

@require_http_methods([“POST”])

def deldomain(request, dom_id):

keepdir = request.POST.get("keepdir", “false”) == “true”

try:

Related news

GHSA-v9gj-5rgp-w33r: Modoboa is vulnerable to Cross-Site Request Forgery

Modoboa 2.0.3 and prior is vulnerable to Cross-Site Request Forgery. A patch is available and anticipated to be part of version 2.0.4.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda