CVE-2024-45299

06.09.2024, 13:15

alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The Content-Security-Policy directive blocks any potential script execution. The administrator or event administrator can override the texts for customization purpose. The texts are not properly escaped. Version 2.0-M5 fixes this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
GitHub_M	CNA	6.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 53%

Vendor	Product	Version
alf	alf	𝑥 < 2.0-m5

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw

Common Weakness Enumeration

CWE-116 - Improper Encoding or Escaping of Output
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

https://github.com/alfio-event/alf.io/commit/e7131c588f4ac31067a41d0e31e6a6a721b2ff4b

https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw