cbcvebase.
CVE-2023-0777
published 2023-02-10

CVE-2023-0777: Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.09%
96.3th percentile
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.

Affected

6 ranges
VendorProductVersion rangeFixed in
concrete5concrete5>= 0 < 8.5.138.5.13
concrete5concrete5>= 9.0.0 < 9.2.29.2.2
modoboamodoboa< 2.0.42.0.4
modoboamodoboa>= 0 < 2.0.42.0.4
modoboamodoboa>= 0 < 47d17ac6643f870719691073956a26e4be0a480647d17ac6643f870719691073956a26e4be0a4806
modoboamodoboa_modoboa>= unspecified < 2.0.42.0.4

Detection & IOCsextracted from sources · hover to see the quote

url/api/v2/token/
url/accounts/login/
url/dashboard/
  • Detect exploit attempts by matching POST requests to /api/v2/token/ with multipart/form-data Content-Type using the specific boundary string '25524418606542250161357131552' and User-Agent 'Anonymous'.
  • Alert on successful authentication (HTTP 200) to /api/v2/token/ followed by access to /dashboard/ containing 'Hello admin' — indicates successful admin takeover via default credentials.
  • Identify Modoboa instances exposed on the internet using Shodan query 'html:"Modoboa"' or favicon hash 1949005079, which are potential targets for this exploit.
  • The exploit uses default credentials (username: admin, password: password) against the /accounts/login/ endpoint with a CSRF token extracted from the login page — monitor for login attempts with these credentials.
  • The exploit performs brute-force at a rate-limited ~50 requests/second against /api/v2/token/ — monitor for high-frequency POST requests to this endpoint from a single source IP.
  • ·The vulnerability affects modoboa versions prior to 2.0.4 only; patched in commit 47d17ac6643f870719691073956a26e4be0a4806.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vendor_redhat3.9LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.