Hi Events
Monthly
Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.
Hidden ticket purchase bypass in Hi.Events through v1.10.0-beta allows unauthenticated remote attackers to acquire VIP, invite-only, or discounted tickets withheld from public sale by referencing hidden ticket and price IDs directly in order creation API requests. The server fails to enforce ticket visibility rules at the API layer, relying only on UI-level concealment, and sequential integer ticket IDs allow systematic enumeration from observed visible IDs. No public exploit or active exploitation (KEV) has been identified at time of analysis, but the unauthenticated network vector and low complexity make opportunistic exploitation straightforward following disclosure.
Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.
Hidden ticket purchase bypass in Hi.Events through v1.10.0-beta allows unauthenticated remote attackers to acquire VIP, invite-only, or discounted tickets withheld from public sale by referencing hidden ticket and price IDs directly in order creation API requests. The server fails to enforce ticket visibility rules at the API layer, relying only on UI-level concealment, and sequential integer ticket IDs allow systematic enumeration from observed visible IDs. No public exploit or active exploitation (KEV) has been identified at time of analysis, but the unauthenticated network vector and low complexity make opportunistic exploitation straightforward following disclosure.