Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HModoboa
APPModoboa< 2.7.1
Related vulnerabilities
Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.