Advisories for Pypi/Modoboa package

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.

modoboa prior to 2.1.0 is vulnerable to cross-site request forgery. An attacker must be logged in as admin to exploit this issue.

In modoboa prior to 2.1.0, sending a GET request to the endpoint /api/v2/parameters/core/ returns sensitive information without any authentication or authorization.

Modoboa 2.0.5 and prior allows users to set unsafe passwords, such as 1 or HACK. This issue is fixed in commit 130257c96a2392ada795785a91178e656e27015c and is part of version 2.1.0.

Cross-site Scripting (XSS) - Reflected in GitHub repository modoboa/modoboa prior to 2.0.45.

Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4.

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.

Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.

Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.