GHSA-45rp-q25w-4426
Suggest an improvement- Source
- https://github.com/advisories/GHSA-45rp-q25w-4426
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-45rp-q25w-4426/GHSA-45rp-q25w-4426.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-45rp-q25w-4426
- Aliases
- Published
- 2024-08-23T15:30:34Z
- Modified
- 2025-01-21T18:24:34.173619Z
- Severity
-
- 7.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:L/U:Green CVSS Calculator
- Summary
- pretix Stored Cross-site Scripting vulnerability
- Details
-
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.
- Database specific
{ "github_reviewed_at": "2024-08-23T18:51:02Z", "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2024-08-23T15:15:17Z", "severity": "HIGH", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-8113
- https://github.com/pretix/pretix/commit/0f44a2ad4e170882dbe6b9d95dba6c36e4e181cf
- https://github.com/pretix/pretix
- https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2024-180.yaml
- https://pretix.eu/about/en/blog/20240823-release-2024-7-1
Affected packages
PyPI / pretix
Package
- Name
- pretix
- View open source insights on deps.dev
- Purl
- pkg:pypi/pretix
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2024.7.1
Affected versions
1.*
1.0.0b1
1.0.0b2
1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1.post2
1.2.2
1.3.0
1.3.0.post1
1.3.1
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.7.1
1.7.2
1.8.0
1.8.1
1.9.0
1.9.1
1.10.0
1.10.1
1.11.0
1.11.1
1.12.0
1.12.1
1.13.0
1.13.1
1.14.0
1.15.0
1.15.1
1.15.2
1.16.0
1.17.0
1.17.1
2.*
2.0.0
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.6.0
2.7.0
2.7.1
2.7.2
2.8.2
3.*
3.0.0
3.0.1
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.6.0.post1
3.7.0
3.8.0
3.9.0
3.10.0
3.11.0
3.11.1
3.12.0
3.12.1
3.13.0
3.13.1
3.14.0
3.14.1
3.14.2
3.15.0
3.16.0
3.17.1
3.17.2
3.18.0
4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.3.1
4.4.0
4.4.1
4.5.0
4.5.1
4.5.2
4.6.0
4.6.1
4.7.0
4.7.1
4.8.0
4.9.0
4.9.1
4.10.0
4.10.1
4.11.0
4.11.1
4.12.0
4.13.0
4.13.1
4.14.0.dev0
4.14.0
4.15.0.dev0
4.15.0
4.15.1
4.16.0
4.16.1
4.17.0
4.17.1
4.18.0
4.18.1
4.18.2
4.18.2.post1
4.19.0
4.20.0
4.20.1
4.20.2.post1
4.20.4
2023.*
2023.6.0
2023.6.1
2023.6.3
2023.7.0
2023.7.1
2023.7.3
2023.8.0
2023.8.1
2023.9.0
2023.9.1
2023.10.0
2023.10.1.post1
2023.10.2
2024.*
2024.1.0
2024.1.1
2024.2.0
2024.3.0
2024.4.0
2024.5.0
2024.5.1
2024.6.0
2024.6.1
2024.7.0