CRITICALπŸ‡΅πŸ‡± Wersja polska

CVE-2024-27447

CVSS 9.8v3.1pub. 2024-02-26upd. 2025-06-11

pretix before 2024.1.1 mishandles file validation.

πŸ€– AI Analysis
How it works

The vulnerability results from improper file validation (CWE-20 β€” improper input validation), which may allow an attacker to upload a malicious file without proper verification of its content or type. The attack vector is network-based, requires no authentication or user interaction, and the attack complexity is low. The detailed exploit mechanism has not been disclosed in the available description.

Impact

A remote, unauthenticated attacker can potentially achieve full system compromise β€” violation of confidentiality, integrity, and availability of data and services (CVSS score C:H/I:H/A:H).

Mitigation & patch

Pretix should be updated to version 2024.1.1 or later. A patch is available in the project repository on GitHub (comparison of changes between v2023.10.2 and v2024.1.1).

Who is affected

Pretix in versions earlier than 2024.1.1 (including at least version 2023.10.2 and earlier).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Pretix

    APP
    Pretix
    < 2024.1.1
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-2415HIGH7.5ten sam produkt

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name...

CVE-2026-2451HIGH7.5ten sam produkt

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name...

CVE-2026-2452HIGH7.5ten sam produkt

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name...

CVE-2024-8113HIGH7.2ten sam produkt

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to injec...

CVE-2026-5600MEDIUM5.5ten sam produkt

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific eve...

CVE-2024-27447 β€” Pretix β€” CRITICAL β€” CVSS 9.8 | CVEbaza.pl