CVE-2024-45300

Name of the Vulnerable Software and Affected Versions alf.io versions prior to 2.0-M5

Description The issue is related to a race condition in the promo code system of alf.io, an open-source ticket reservation system for events. This condition allows a user to bypass the limit on the number of promo codes and use a discount coupon multiple times. The time gap between checking the number of codes and restricting their use enables a threat actor to exploit this vulnerability.

Recommendations For versions prior to 2.0-M5, update to version 2.0-M5 to resolve the issue. As a temporary workaround, consider implementing additional checks to minimize the time gap between verifying and restricting promo code usage. Restrict access to the promo code system to minimize the risk of exploitation until the update is applied.