#VU83290 Input validation error in pretix - CVE-2023-44464

Cybersecurity Help s.r.o.

Published: 2023-11-20

Vulnerability identifier: #VU83290

Vulnerability risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-44464

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pretix
Web applications / Other software

Vendor: pretix

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of images passed to the application. A remote user can create a specially crafted ".eps" file, rename it into a file with ".png" extension and upload the file to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pretix: 1.0.0 - 2023.9.0

External links
https://github.com/pretix/pretix/tags
https://github.com/pretix/pretix/compare/v2023.7.1...v2023.7.2
https://pretix.eu/about/en/ticketing
https://github.com/pretix/pretix/commit/8583bfb7d97263e9e923ad5d7f123ca1cadc8f2e
https://pretix.eu/about/de/blog/20230912-release-2023-7-2/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in pretix