<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pretalx - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/pretalx/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/pretalx/feed.xml" rel="self" type="application/rss+xml"/><item><title>pretalx Stored Cross-Site Scripting Vulnerability in Organizer Search</title><link>https://feed.craftedsignal.io/briefs/2024-01-29-pretalx-xss/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-29-pretalx-xss/</guid><description>A stored cross-site scripting (XSS) vulnerability exists in the pretalx backend organizer search, allowing attackers to inject malicious JavaScript into user-controlled fields that executes in an organizer's browser, potentially leading to data modification or exfiltration.</description><content:encoded><![CDATA[<p>A stored cross-site scripting (XSS) vulnerability was discovered in the pretalx event management platform, specifically affecting versions prior to v2026.1.0. The vulnerability resides within the organizer search functionality in the backend. Attackers can inject malicious HTML or JavaScript code into user-controlled fields such as submission titles, speaker display names, or user names/emails. When an organizer performs a typeahead search that matches the injected payload, the malicious script executes within the organizer's browser session. This vulnerability allows attackers to potentially steal CSRF tokens, perform actions on behalf of the organizer, modify data, or exfiltrate sensitive information. The vulnerability was reported by Elad Meged from Novee Security and patched in pretalx v2026.1.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker registers an account on the pretalx platform or utilizes an existing account.</li>
<li>The attacker modifies their display name or submission title to include a malicious JavaScript payload, such as <code>&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;</code>.</li>
<li>The attacker submits a proposal or registers for an event, ensuring their malicious display name is associated with their profile.</li>
<li>An organizer logs into the pretalx backend and uses the organizer search bar to search for a user or submission.</li>
<li>The organizer's search query matches the malicious record (e.g., the attacker's display name or submission title).</li>
<li>The pretalx application renders the search results using <code>innerHTML</code>, injecting the attacker's malicious JavaScript payload into the page.</li>
<li>The injected JavaScript executes within the organizer's browser session, allowing the attacker to steal the CSRF token.</li>
<li>The attacker uses the stolen CSRF token to submit authenticated requests, potentially modifying event data, exfiltrating sensitive information, or performing other actions on behalf of the organizer.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this XSS vulnerability allows attackers to execute arbitrary JavaScript code within the browser of a pretalx organizer. This could lead to the compromise of sensitive event data, unauthorized modification of event settings, or the exfiltration of organizer credentials. The impact depends on the permissions and access levels of the compromised organizer account. If an administrator account is compromised, the attacker could gain full control over the pretalx instance, potentially affecting numerous events and users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade pretalx to version 2026.1.0 or later to patch the vulnerability.</li>
<li>If an immediate upgrade is not possible, avoid using the organiser search bar or apply the patch manually to <code>src/pretalx/static/orga/js/base.js</code> as described in the advisory.</li>
<li>Implement a Content Security Policy (CSP) to mitigate the risk of XSS attacks. (Not explicitly mentioned in the advisory, but a good security practice).</li>
<li>Deploy the Sigma rule below to your SIEM and tune for your environment to detect potential exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>pretalx</category><category>xss</category><category>stored-xss</category></item></channel></rss>