Path Traversal Vulnerability in pretalx by Pretalx
CVE-2023-28458

4.3MEDIUM

Key Information:

Vendor: Pretalx
Status: Pretalx
Vendor: CVE Published:; 20 April 2023

What is CVE-2023-28458?

The vulnerability in pretalx versions prior to 2.3.2 allows for a path traversal attack through an HTML export feature, which is not enabled by default. This flaw can be exploited by event organizers to overwrite arbitrary files with the content of the standard pretalx 404 error page. It's crucial for users to upgrade to the patched version to mitigate the risk of unauthorized file modifications.

References

https://pretalx.com/p/news/security-release-232/

https://github.com/pretalx/pretalx/commit/60722c43cf975f3...

https://github.com/pretalx/pretalx/releases/tag/v2.3.2

EPSS Score

70% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2023
Vulnerability Reserved
Mar 15, 2023

CVE-2023-28458 Data

JSON