Security release 4.7.1 of pretix
In the past days, thanks to an external report, we identified three security-relevant issues inside pretix. We therefore just released versions 4.7.1, 4.6.1, and 4.5.2 of pretix that fix these problems. It is strongly recommended that you update your installation as soon as possible. If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.
The direct security risk of these issues is rather small and none of them can be used for unauthorized data access. There is no indication that your customer data was impacted in any way.
#1: Untrusted formulas in XLSX exports [MEDIUM]
In the pretix backend, it is possible to export various datasets like all order data in Microsoft's XLSX format. It is therefore possible for ticket buyers to insert almost any content into the XLSX file, which, until this release, included formulas that will be evaluated by excel.
If the file is then opened by the user with vulnerable or misconfigured versions of Microsoft Excel or LibreOffice, malicious formulas or macros included in the tables' cells might be used to execute code on the user's computer or trick the user into executing code since the file comes from a trusted source.
We have already fixed a similar issue for all CSV exports in 2017, but did not notice that the introduction of XLSX exports in 2018 re-introduced the problem in a similar way.
Severity rating: Since this is arguably more of a security problem of Excel, the implications on pretix' side are more related to the fact that the file is from a trusted source and users are therefore not expecting any such risks. We therefore assess the severity of this issue as medium.
Affected versions: pretix versions 2.3.0 until 4.7.0 are affected.
This issue has been reported to us by TQ software Solution (SMC) Pvt Ltd.
#2: XSS in question titles [LOW]
If HTML is contained in the title of a user-defined question, it was not properly escaped when used in error messages during checkout.
Since we employ a strict Content-Security-Policy, it is impossible to exploit in a significantly harmful way without the combination of a CSP bypass issue (which is not known in pretix).
Severity rating: Since this bug is not really exploitable, we assess the severity of this issue as (very) low.
Affected versions: pretix versions 4.4.0 until 4.7.0 are affected.
This issue has been reported to us by TQ software Solution (SMC) Pvt Ltd.
#3: XSS in help texts [LOW]
If HTML is contained in the user-customized help text of e.g. the email field, it was not properly escaped during checkout. This affected multiple form fields across the system.
Since we employ a strict Content-Security-Policy, it is impossible to exploit in a significantly harmful way without the combination of a CSP bypass issue (which is not known in pretix).
Severity rating: Since this bug is not really exploitable, we assess the severity of this issue as (very) low.
Affected versions: At least pretix versions 3.4.0 until 4.5.0 are affected.
The original issue has been reported to us by TQ software Solution (SMC) Pvt Ltd, and we found similar issues during developing the fix.
Fixed versions
All pretix installations are affected. We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 4.5, please upgrade to a recent version now.
The new docker images will appear on Docker Hub over the next few hours.
We've also released updates for the following plugins that included similar issues:
- pretix-reports 1.11.4
- pretix-resellers 2.2.2
(An initial version of this blogpost also listed pretix-posbackend, but this plugin in fact does not require an update.)
We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.
If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on twitter.
We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.
