CVE-2023-28458: pretalx allows path traversal in HTML export
(updated )
pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Organizers can trigger the overwriting (with the standard pretalx 404 page content) of an arbitrary file.
References
- github.com/advisories/GHSA-23fx-92m6-4f2g
- github.com/pretalx/pretalx
- github.com/pretalx/pretalx/commit/60722c43cf975f319e94102e6bff320723776890
- github.com/pretalx/pretalx/releases/tag/v2.3.2
- github.com/pypa/advisory-database/tree/main/vulns/pretalx/PYSEC-2023-40.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-28458
- pretalx.com/p/news/security-release-232
- www.sonarsource.com/blog/pretalx-vulnerabilities-how-to-get-accepted-at-every-conference
Code Behaviors & Features
Detect and mitigate CVE-2023-28458 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →