CVE-2023-28459: Relative Path Traversal
(updated )
pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Users were able to upload crafted HTML documents that trigger the reading of arbitrary files.
References
- github.com/advisories/GHSA-wh3w-jcc7-mhmf
- github.com/pretalx/pretalx/commit/60722c43cf975f319e94102e6bff320723776890
- github.com/pretalx/pretalx/releases/tag/v2.3.2
- nvd.nist.gov/vuln/detail/CVE-2023-28459
- pretalx.com/p/news/security-release-232/
- www.sonarsource.com/blog/pretalx-vulnerabilities-how-to-get-accepted-at-every-conference/
Detect and mitigate CVE-2023-28459 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →