CVE-2019-19702

Name of the Vulnerable Software and Affected Versions Modoboa modoboa-dmarc plugin version 1.1.0

Description The issue allows for an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality. This can be achieved by referencing sensitive files within XML documents emailed to the address in the rua field of the DMARC records of a domain.

Recommendations For Modoboa modoboa-dmarc plugin version 1.1.0, consider disabling the DMARC reporting functionality until a patch is available to prevent exploitation. Restrict access to the XML processing module to minimize the risk of denial of service attacks. Avoid using the rua field in DMARC records to receive XML documents from untrusted sources.