Security release 2024.7.1 of pretix
Today, we've internally discovered a security issue inside pretix. We therefore just released versions 2024.7.1, 2024.6.1, and 2024.5.1 of pretix that fix this problem. It is strongly recommended that you update your installation as soon as possible, especially if you host pretix for third-party event organizers.
If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.
#1: Stored XSS in Mail Preview in Control Panel [LOW]
CVE ID: CVE-2024-8113
pretix allows event organizers to send out emails to their customers and waiting list subscribers from
the pretix control panel. Placeholders like {event}
or {name}
can be used to personalize these emails.
Organizers can use a preview feature to test placeholder evaluation and markdown formatting.
In some cases, HTML tags were not correctly filtered in these placeholder contents, allowing an event organizer
to have arbitrary HTML rendered in (another) event organizers web browser, if they used the preview feature
on the same event.
Severity rating: Even though <script>
tags could be inserted into the control panel using this vulnerability,
they wouldn't be executed by the browser, due to a Content Security Policy blocking
inline and remote scripts.
Therefore, the security impact on a typical pretix installation is low.
Affected versions: pretix versions until 2024.7.0 are affected.
This issue has been found internally.
Fixed versions
We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 2024.5, please upgrade to a recent version now.
The new docker images will appear on Docker Hub over the next few hours.
We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.
If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.
We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.