PyPI: pretix
CVE-2024-8113
Safety vulnerability ID: SFTY-20240823-22232
Safety legacy ID: pyup.io-72971
Stored XSS vulnerabilities in the organizer and event settings of Pretix affected versions allowed malicious event organizers to inject HTML tags into email previews on the settings page. The fix introduced proper escaping of placeholders and dynamic content using Django's `escape` function, mitigating the risk of Cross-Site Scripting (XSS) attacks. While the default Content Security Policy (CSP) of Pretix prevents the execution of attacker-provided scripts, making exploitation unlikely, this vulnerability could still be dangerous if combined with a CSP bypass, potentially allowing impersonation of other organizers or staff users.
Overview
pretix Stored Cross-site Scripting vulnerability
Advisory
Stored XSS vulnerabilities in the organizer and event settings of Pretix affected versions allowed malicious event organizers to inject HTML tags into email previews on the settings page. The fix introduced proper escaping of placeholders and dynamic content using Django's `escape` function, mitigating the risk of Cross-Site Scripting (XSS) attacks. While the default Content Security Policy (CSP) of Pretix prevents the execution of attacker-provided scripts, making exploitation unlikely, this vulnerability could still be dangerous if combined with a CSP bypass, potentially allowing impersonation of other organizers or staff users.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240823-22232/CVE-2024-8113
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8113
- https://github.com/advisories/GHSA-45rp-q25w-4426
- https://github.com/pretix/pretix/commit/0f44a2ad4e170882dbe6b9d95dba6c36e4e181cf
- https://nvd.nist.gov/vuln/detail/CVE-2024-8113
- https://pretix.eu/about/en/blog/20240823-release-2024-7-1
- https://github.com/pretix/pretix/commit/0f44a2ad4e170882dbe6b9d95dba6c36e4e181cf
- https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2024-180.yaml
- https://github.com/advisories/GHSA-45rp-q25w-4426
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more