Release 2024.1.1 of pretix

Today, we've internally discovered a security issue inside pretix. We therefore just released versions 2024.1.1, 2023.10.2, 2023.9.1, and 2023.8.1 of pretix that fix this problem. It is strongly recommended that you update your installation as soon as possible, especially if you host pretix for third-party event organizers.

If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.

#1: File type validation can be bypassed in the "send out emails" form [MEDIUM]

CVE ID: CVE-2024-27447

pretix allows event organizers to send out emails to their customers and waiting list subscribers from the pretix control panel. Event organizers can attach a PDF or image file to these emails.

When uploading attachments, pretix validates that the file name has an allowed extension (e.g. ".png") and, in case of an image file, that the file contains valid image data. Due to an internal logic error, this validation can be bypassed by a malicious event organizer. The validation only runs when a new file is uploaded, but even if the file extension is not allowed, it gets temporarily stored by the system. If the form is submitted a second time with the temporary file in place, it will be accepted regardless, as the system doesn't consider it a new file anymore. This allows the event organizer to send out files of arbitrary types, potentially containing malware.

Severity rating: The security impact on a typical pretix installation is low since usually only trusted users have access to the pretix control panel. The issue can not be abused to compromise the pretix installation itself, but it can be used to send emails with malicious content to users from a high-reputation source. We therefore assess the severity of this issue as medium.

Affected versions: pretix versions 3.13.0 until 2024.1.0 are affected.

This issue has been found internally.

Fixed versions

All pretix installations since 3.13.0. We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 2023.8, please upgrade to a recent version now.

• 2024.1.1
• 2023.10.2
• 2023.9.1
• 2023.8.1

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.