cbcvebase.
CVE-2023-2227
published 2023-04-21

CVE-2023-2227: Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.

PriorityP271critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
43.76%
98.6th percentile
Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.

Affected

4 ranges
VendorProductVersion rangeFixed in
modoboamodoboa< 2.1.02.1.0
modoboamodoboa>= 0 < 2.1.02.1.0
modoboamodoboa>= 0 < 7bcd3f6eb264d4e3e01071c97c2bac51cdd6fe977bcd3f6eb264d4e3e01071c97c2bac51cdd6fe97
modoboamodoboa_modoboa>= unspecified < 2.1.02.1.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/v2/parameters/core/
  • Unauthenticated GET request to /api/v2/parameters/core/ returning HTTP 200 with JSON body containing 'label":', 'default_password":', and 'authentication_type":"local' indicates successful exploitation of the improper authorization vulnerability.
  • Response body must contain all three strings simultaneously: 'label":', 'default_password":', and 'authentication_type":"local' to confirm sensitive configuration exposure.
  • Response Content-Type header must be 'application/json', confirming the API endpoint is returning raw configuration data without authorization checks.
  • Shodan/FOFA fingerprinting: identify exposed Modoboa instances via favicon hash 1949005079 or HTML body containing 'modoboa'/'Modoboa' strings.
  • ·Vulnerability only affects Modoboa versions prior to 2.1.0; instances running 2.1.0 or later have proper authorization checks on the parameters API endpoint.
  • ·The exploit is unauthenticated (PR:N), requiring no credentials, making it trivially exploitable against any exposed Modoboa instance below 2.1.0.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.