PYSEC-2019-251

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/modoboa/PYSEC-2019-251.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2019-251

Withdrawn

2024-11-22T04:37:04Z

Published

2019-12-10T20:15:00Z

Modified

2025-10-09T06:41:07.093964Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain.

References

https://github.com/modoboa/modoboa-dmarc/issues/38

Affected packages

PyPI / modoboa

Package

Name: modoboa; View open source insights on deps.dev
Purl: pkg:pypi/modoboa

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.0

1.*

1.2.0-rc2

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.5.0

1.5.1

1.5.2

1.5.3

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.8.0

1.8.1

1.8.2

1.8.3

1.9.0

1.9.1

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5

1.10.6

1.10.7

1.11.0

1.11.1

1.12.0

1.12.1

1.12.2

1.13.0

1.13.1

1.14.0

1.15.0

1.16.0

1.16.1

1.17.0

2.*

2.0.0b1

2.0.0b2

2.0.0b3

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.1.0

2.1.1

2.1.2.dev0

2.1.2

2.1.3.dev0

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0b1

2.3.0b2

2.3.0b3

2.3.0b4

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.4.11

2.5.0

2.5.1

2.6.0

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/modoboa/PYSEC-2019-251.yaml"