Impact
An insecure direct object reference in the account password change API allows a domain administrator to reset any user’s password, bypassing object-level access controls. This flaw enables the administrator to change a superadmin password and acquire full control over the entire system. The weakness is a classic case of privilege escalation, represented by CWE‑639.
Affected Systems
Modoboa versions earlier than 2.9.0 are affected. The vulnerability exists in the account password change endpoint, permitting domain administrators to override intended access controls.
Risk and Exploitability
The vulnerability has a CVSS score of 7.7. No EPSS score is available, and it is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated domain administrator who can invoke the API endpoint. With such privileges, the attacker can reset any user’s password, including that of a superadmin, achieving full account takeover.
OpenCVE Enrichment