PT-2023-21732 · Pretalx · Pretalx
Stefan Schiller
·
Published
2023-04-20
·
Updated
2023-05-04
·
CVE-2023-28459
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
pretalx versions 2.3.1 through 2.3.1
Description
The issue allows path traversal in HTML export, a non-default feature. Users can upload crafted HTML documents that trigger the reading of arbitrary files.
Recommendations
For pretalx version 2.3.1, update to version 2.3.2 to resolve the issue. As a temporary workaround, consider disabling the HTML export feature until a patch is available. Restrict access to the HTML export module to minimize the risk of exploitation. Avoid using the HTML export feature in the affected version until the issue is resolved.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pretalx