XML External Entity Injection in Modoboa DMARC Plugin
CVE-2019-19702

7.5HIGH

Key Information:

Vendor: Modoboa
Status: Modoboa-dmarc
Vendor: CVE Published:; 10 December 2019

What is CVE-2019-19702?

The modoboa-dmarc plugin version 1.1.0 for Modoboa is susceptible to an XML External Entity Injection (XXE) attack. This vulnerability arises during the processing of XML data, enabling a remote attacker to manipulate XML documents sent to the DMARC reporting address specified in the rua field. By referencing sensitive files such as /dev/random in these documents, the attacker could potentially disrupt the DMARC reporting functionality, leading to a denial of service.

References

https://github.com/modoboa/modoboa-dmarc/issues/38

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2019
Vulnerability Reserved
Dec 10, 2019

CVE-2019-19702 Data

JSON