CVE-2024-8113

Advisory

Stored XSS vulnerabilities in the organizer and event settings of Pretix affected versions allowed malicious event organizers to inject HTML tags into email previews on the settings page. The fix introduced proper escaping of placeholders and dynamic content using Django's `escape` function, mitigating the risk of Cross-Site Scripting (XSS) attacks. While the default Content Security Policy (CSP) of Pretix prevents the execution of attacker-provided scripts, making exploitation unlikely, this vulnerability could still be dangerous if combined with a CSP bypass, potentially allowing impersonation of other organizers or staff users.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-45rp-q25w-4426
• https://github.com/pretix/pretix/commit/0f44a2ad4e170882dbe6b9d95dba6c36e4e181cf
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8113