PT-2023-21732 · Pretalx · Pretalx

Stefan Schiller

Publicado

2023-04-20

Atualizado

2023-05-04

CVE-2023-28459

CVSS v4.0

7.1

Alta

Vetor

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions pretalx versions 2.3.1 through 2.3.1

Description The issue allows path traversal in HTML export, a non-default feature. Users can upload crafted HTML documents that trigger the reading of arbitrary files.

Recommendations For pretalx version 2.3.1, update to version 2.3.2 to resolve the issue. As a temporary workaround, consider disabling the HTML export feature until a patch is available. Restrict access to the HTML export module to minimize the risk of exploitation. Avoid using the HTML export feature in the affected version until the issue is resolved.

Exploit

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22

Identificadores relacionados

CVE-2023-28459

GHSA-WH3W-JCC7-MHMF

PYSEC-2023-41

Produtos afetados

Pretalx

PT-2023-21732 · Pretalx · Pretalx

CVE-2023-28459

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 12