CVE-2024-8113

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://pretix.eu/about/en/blog/20240823-release-2024-7-1/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-08-23 15:15

Updated : 2024-09-12 18:21

NVD link : CVE-2024-8113

Mitre link : CVE-2024-8113

CVE.ORG link : CVE-2024-8113

JSON object : View

Products Affected

pretix

pretix

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-8113", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "USER", "baseScore": 7.2, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:L/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-08-23T15:15:17.593", "references": [{"url": "https://pretix.eu/about/en/blog/20240823-release-2024-7-1/", "tags": ["Vendor Advisory"], "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users."}, {"lang": "es", "value": "El XSS almacenado en la configuraci\u00f3n del organizador y del evento con pretix hasta 2024.7.0 permite a organizadores de eventos maliciosos inyectar etiquetas HTML en vistas previas de correo electr\u00f3nico en la p\u00e1gina de configuraci\u00f3n. La pol\u00edtica de seguridad de contenido predeterminada de pretix impide la ejecuci\u00f3n de scripts proporcionados por atacantes, lo que hace que la explotaci\u00f3n sea poco probable. Sin embargo, combinada con una omisi\u00f3n del CSP (que actualmente no se conoce), la vulnerabilidad podr\u00eda usarse para hacerse pasar por otros organizadores o usuarios del personal."}], "lastModified": "2024-09-12T18:21:30.677", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6A18526-A03F-4E05-B43C-28A8CC2352A5", "versionEndIncluding": "2024.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "655498c3-6ec5-4f0b-aea6-853b334d05a6"}