Pretix
CVE-2023-27891
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.
AnalysisAI
rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-613. rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1. Affected products include: Rami Pretix. Version information: before 4.17.1.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex
Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript
pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authen
Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugin
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tag
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste
Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information
Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organ
HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbit
An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely expl
Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift car
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today