{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pretalx/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["pretalx"],"_cs_severities":["high"],"_cs_tags":["pretalx","xss","stored-xss"],"_cs_type":"advisory","_cs_vendors":["pretalx"],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability was discovered in the pretalx event management platform, specifically affecting versions prior to v2026.1.0. The vulnerability resides within the organizer search functionality in the backend. Attackers can inject malicious HTML or JavaScript code into user-controlled fields such as submission titles, speaker display names, or user names/emails. When an organizer performs a typeahead search that matches the injected payload, the malicious script executes within the organizer's browser session. This vulnerability allows attackers to potentially steal CSRF tokens, perform actions on behalf of the organizer, modify data, or exfiltrate sensitive information. The vulnerability was reported by Elad Meged from Novee Security and patched in pretalx v2026.1.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers an account on the pretalx platform or utilizes an existing account.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies their display name or submission title to include a malicious JavaScript payload, such as \u003ccode\u003e\u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/script\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits a proposal or registers for an event, ensuring their malicious display name is associated with their profile.\u003c/li\u003e\n\u003cli\u003eAn organizer logs into the pretalx backend and uses the organizer search bar to search for a user or submission.\u003c/li\u003e\n\u003cli\u003eThe organizer's search query matches the malicious record (e.g., the attacker's display name or submission title).\u003c/li\u003e\n\u003cli\u003eThe pretalx application renders the search results using \u003ccode\u003einnerHTML\u003c/code\u003e, injecting the attacker's malicious JavaScript payload into the page.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes within the organizer's browser session, allowing the attacker to steal the CSRF token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen CSRF token to submit authenticated requests, potentially modifying event data, exfiltrating sensitive information, or performing other actions on behalf of the organizer.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability allows attackers to execute arbitrary JavaScript code within the browser of a pretalx organizer. This could lead to the compromise of sensitive event data, unauthorized modification of event settings, or the exfiltration of organizer credentials. The impact depends on the permissions and access levels of the compromised organizer account. If an administrator account is compromised, the attacker could gain full control over the pretalx instance, potentially affecting numerous events and users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade pretalx to version 2026.1.0 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eIf an immediate upgrade is not possible, avoid using the organiser search bar or apply the patch manually to \u003ccode\u003esrc/pretalx/static/orga/js/base.js\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement a Content Security Policy (CSP) to mitigate the risk of XSS attacks. (Not explicitly mentioned in the advisory, but a good security practice).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to your SIEM and tune for your environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-pretalx-xss/","summary":"A stored cross-site scripting (XSS) vulnerability exists in the pretalx backend organizer search, allowing attackers to inject malicious JavaScript into user-controlled fields that executes in an organizer's browser, potentially leading to data modification or exfiltration.","title":"pretalx Stored Cross-Site Scripting Vulnerability in Organizer Search","url":"https://feed.craftedsignal.io/briefs/2024-01-29-pretalx-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Pretalx","version":"https://jsonfeed.org/version/1.1"}