PT-2024-38809 · Pretix · Pretix
Published
2024-08-23
·
Updated
2024-09-12
·
CVE-2024-8113
CVSS v4.0
7.2
High
| Vector | AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:L/U:Green |
Name of the Vulnerable Software and Affected Versions:
pretix versions up to 2024.7.0
Description:
The issue allows malicious event organizers to inject HTML tags into e-mail previews on the settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass, the issue could be used to impersonate other organizers or staff users.
Recommendations:
For versions up to 2024.7.0, update to a version later than 2024.7.0 to resolve the issue. As a temporary workaround, consider restricting access to the organizer and event settings to minimize the risk of exploitation. Avoid using the affected settings page until the issue is resolved.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pretix