pretix before 2024.1.1 mishandles file validation.
The vulnerability results from improper file validation (CWE-20 β improper input validation), which may allow an attacker to upload a malicious file without proper verification of its content or type. The attack vector is network-based, requires no authentication or user interaction, and the attack complexity is low. The detailed exploit mechanism has not been disclosed in the available description.
A remote, unauthenticated attacker can potentially achieve full system compromise β violation of confidentiality, integrity, and availability of data and services (CVSS score C:H/I:H/A:H).
Pretix should be updated to version 2024.1.1 or later. A patch is available in the project repository on GitHub (comparison of changes between v2023.10.2 and v2024.1.1).
Pretix in versions earlier than 2024.1.1 (including at least version 2023.10.2 and earlier).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPretix
APPPretix< 2024.1.1
Related vulnerabilities
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name...
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name...
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name...
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to injec...
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific eve...