Input validation error in pretix

#VU83290 Input validation error in pretix

Published: 2023-11-20

Vulnerability identifier: #VU83290

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-44464

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pretix
Web applications / Other software

Vendor: pretix

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of images passed to the application. A remote user can create a specially crafted ".eps" file, rename it into a file with ".png" extension and upload the file to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pretix: 1.0.0 - 2023.9.0

External links
http://github.com/pretix/pretix/tags
http://github.com/pretix/pretix/compare/v2023.7.1...v2023.7.2
http://pretix.eu/about/en/ticketing
http://github.com/pretix/pretix/commit/8583bfb7d97263e9e923ad5d7f123ca1cadc8f2e
http://pretix.eu/about/de/blog/20230912-release-2023-7-2/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in pretix