Race Condition Flaw in alf.io Leads to Unlimited Promo Code Abuse
CVE-2024-45300

5.9MEDIUM

Key Information:

Vendor: Alfio-event
Status: Alf.io
Vendor: CVE Published:; 6 September 2024

🔔 Create Alfio-event Vulnerability Alert

What is CVE-2024-45300?

alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, a race condition allows the user to bypass the limit on the number of promo codes and use the discount coupon multiple times. In "alf.io", an event organizer can apply price discounts by using promo codes to your events. The organizer can limit the number of promo codes that will be used for this, but the time-gap between checking the number of codes and restricting the use of the codes allows a threat actor to bypass the promo code limit. Version 2.0-M5 fixes this issue.

Affected Version(s)

alf.io < 2.0-M5

References

https://github.com/alfio-event/alf.io/security/advisories...

x_refsource_CONFIRM

https://github.com/alfio-event/alf.io/commit/53b3309e26e8...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 6, 2024
Vulnerability Reserved
Aug 26, 2024