Pages Plugin 1.1.1 Security Release
We today discovered that our official plugin pretix-pages contained a security vulnerability. We therefore just released versions 1.0.1 and 1.1.1 of the plugin and recommend that you to update your installation as soon as possible. If you are a customer of our hosted service, the vulnerability is already fixed for you and you do not need to take action.
The pages plugin allows event organizers to add pages with static content to their ticket shops. Usage examples include FAQs, the organizer's terms of services, etc.
In the administrative control panel of an event, the list of pages did not only show pages from the current event, but also from other events. Therefore, the titles of other event's pages were leaked to every user with a control panel account who can access at least one event.
However, only a legitimate user could view or edit the content of those pages. The exposed information did not contain any information about the event the leaked page title belonged to.
Only page titles were leaked and no private information could be accessed and no data could be modified by unauthorized users. The page titles were only leaked to other backend users on the same server who have access to at least one event. Given the fact that most self-hosted pretix installations only host events that are operated by the same team and a very small number of people, we assess the severity of this issue as low.
Affected versions and fixes
All publicly released versions of the pages plugin were affected, including the latest version 1.1.0. We issued a version 1.1.1 on PyPI and via GitHub that contains a fix for the issue.
Note that pretix-pages 1.1.x requires you to have pretix 1.1.0 or newer. In the case that you are not able to upgrade to pretix 1.1.0 yet, we also released a version 1.0.1 on PyPI and GitHub that contains the same fix. However, we strongly recommend that you always run the latest version of pretix, as every release contains useful and important bugfixes, even if they are not security related.
If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on twitter.
We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at firstname.lastname@example.org. We will always treat your message with the appropriate priority.