CVE-2024-8113

CVSS V2 None CVSS V3 None
Description
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.
Overview
  • CVE ID
  • CVE-2024-8113
  • Assigner
  • rami.io
  • Vulnerability Status
  • PUBLISHED
  • Published Version
  • 2024-08-23T14:18:05.416Z
  • Last Modified Date
  • 2024-08-23T14:24:05.228Z
References
Reference URL Reference Tags
https://pretix.eu/about/en/blog/20240823-release-2024-7-1/ release-notes
History
Created Old Value New Value Data Type Notes
2024-08-24 13:03:54 Added to TrackCVE