CVE-2023-28459: pretalx vulnerable to path traversal in HTML export
(updated )
pretalx before 2.3.2 allows path traversal in HTML export (a non-default feature). Users were able to upload crafted HTML documents that trigger the reading of arbitrary files.
References
- github.com/advisories/GHSA-wh3w-jcc7-mhmf
- github.com/pretalx/pretalx
- github.com/pretalx/pretalx/commit/60722c43cf975f319e94102e6bff320723776890
- github.com/pretalx/pretalx/releases/tag/v2.3.2
- github.com/pypa/advisory-database/tree/main/vulns/pretalx/PYSEC-2023-41.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-28459
- pretalx.com/p/news/security-release-232
- www.sonarsource.com/blog/pretalx-vulnerabilities-how-to-get-accepted-at-every-conference
Detect and mitigate CVE-2023-28459 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →