CVE-2024-8113: pretix Stored Cross-site Scripting vulnerability

August 23, 2024 (updated October 4, 2024)

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.

References

github.com/advisories/GHSA-45rp-q25w-4426
github.com/pretix/pretix
github.com/pretix/pretix/commit/0f44a2ad4e170882dbe6b9d95dba6c36e4e181cf
nvd.nist.gov/vuln/detail/CVE-2024-8113
pretix.eu/about/en/blog/20240823-release-2024-7-1

Detect and mitigate CVE-2024-8113 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →