CVE-2024-8113 HIGH

CVE-2024-8113: Stored XSS in Placeholder Samples in Mail Preview

Vendor Pretix
Product pretix
Weakness CWE-79 · XSS
Published August 23, 2024
Last update August 30, 2024
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/RE:L/U:Green

What the vulnerability does

01Description

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.

Key dates

02Disclosure timeline

August 23, 2024 CVE published
August 30, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-8008 Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products via JDBC User Store Connection Validation CVE-2026-42751 WordPress Booking Manager plugin <= 2.1.18 - Cross Site Scripting (XSS) vulnerability CVE-2023-29437 WordPress Connections Business Directory Plugin <= 10.4.36 is vulnerable to Cross Site Scripting (XSS) CVE-2024-0653 Custom Field Template <= 2.6.1 - Authenticated (Admin+) Stored Cross-Site Scritping CVE-2022-50942 Incinga Web 2.8.2 Client-Side Cross-Site Scripting via EventListener