Race Condition Flaw in alf.io Leads to Unlimited Promo Code Abuse
CVE-2024-45300

5.9MEDIUM

Key Information:

Vendor: Alfio-event
Status: Alf.io
Vendor: CVE Published:; 6 September 2024

🔔 Create Alfio-event Vulnerability Alert

What is CVE-2024-45300?

alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, a race condition allows the user to bypass the limit on the number of promo codes and use the discount coupon multiple times. In "alf.io", an event organizer can apply price discounts by using promo codes to your events. The organizer can limit the number of promo codes that will be used for this, but the time-gap between checking the number of codes and restricting the use of the codes allows a threat actor to bypass the promo code limit. Version 2.0-M5 fixes this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

alf.io < 2.0-M5

References

https://github.com/alfio-event/alf.io/security/advisories...

x_refsource_CONFIRM

https://github.com/alfio-event/alf.io/commit/53b3309e26e8...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 6, 2024
Vulnerability Reserved
Aug 26, 2024

JSON

Alfio-event

What is CVE-2024-45300?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.