pretix 1.16.0 vulnerabilities

Known vulnerabilities in the pretix package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
L Cross-site Scripting (XSS) pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the control panel due to improper user input sanitization in the placeholders (like `{name}` or `{event}`). An attacker can inject HTML tags into email previews on the settings page by exploiting this vulnerability. NOTE: This is only exploitable if a Content Security Policy (CSP) bypass occurs. How to fix Cross-site Scripting (XSS)? Upgrade `pretix` to version 2024.7.1 or higher.	[,2024.7.1)
H Improper Input Validation pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Improper Input Validation due to mishandling of file validation. An attacker can exploit this weakness by submitting a malicious file that bypasses the intended validation mechanisms. How to fix Improper Input Validation? Upgrade `pretix` to version 2024.1.1 or higher.	[,2024.1.1)
H Arbitrary Code Injection pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Arbitrary Code Injection when parsing EPS files. An attacker can exploit this to execute arbitrary code by sending a specially crafted EPS file. Note: This is only exploitable if the application is configured to accept and parse EPS files. How to fix Arbitrary Code Injection? Upgrade `pretix` to version 2023.7.3 or higher.	[,2023.7.3)
H Improper Authorization pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Improper Authorization due to allowing OAuth application authorization from a logged-out session. Note: Access to a browser (or session cookie) with a recent valid login into the system is required for the security problem to be exploitable. It is not possible for a remote attacker to use this to get access to random accounts. How to fix Improper Authorization? Upgrade `pretix` to version 4.15.1, 4.16.1, 4.17.1 or higher.	[1.16.0,4.15.1)[4.16.0,4.16.1)[4.17.0,4.17.1)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

pretix is a Reinventing presales, one ticket at a time

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the control panel due to improper user input sanitization in the placeholders (like {name} or {event}). An attacker can inject HTML tags into email previews on the settings page by exploiting this vulnerability.

NOTE:

This is only exploitable if a Content Security Policy (CSP) bypass occurs.

How to fix Cross-site Scripting (XSS)?

Upgrade pretix to version 2024.7.1 or higher.

[,2024.7.1)

Improper Input Validation

pretix is a Reinventing presales, one ticket at a time

Affected versions of this package are vulnerable to Improper Input Validation due to mishandling of file validation. An attacker can exploit this weakness by submitting a malicious file that bypasses the intended validation mechanisms.

How to fix Improper Input Validation?

Upgrade pretix to version 2024.1.1 or higher.

[,2024.1.1)

Arbitrary Code Injection

pretix is a Reinventing presales, one ticket at a time

Affected versions of this package are vulnerable to Arbitrary Code Injection when parsing EPS files. An attacker can exploit this to execute arbitrary code by sending a specially crafted EPS file.

Note:

This is only exploitable if the application is configured to accept and parse EPS files.

How to fix Arbitrary Code Injection?

Upgrade pretix to version 2023.7.3 or higher.

[,2023.7.3)

Improper Authorization

pretix is a Reinventing presales, one ticket at a time

Affected versions of this package are vulnerable to Improper Authorization due to allowing OAuth application authorization from a logged-out session.

Note: Access to a browser (or session cookie) with a recent valid login into the system is required for the security problem to be exploitable. It is not possible for a remote attacker to use this to get access to random accounts.

How to fix Improper Authorization?

Upgrade pretix to version 4.15.1, 4.16.1, 4.17.1 or higher.

[1.16.0,4.15.1)[4.16.0,4.16.1)[4.17.0,4.17.1)

pretix@1.16.0 vulnerabilities

Reinventing presales, one ticket at a time

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?