CVE-2024-45299

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45299
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The Content-Security-Policy directive blocks any potential script execution. The administrator or event administrator can override the texts for customization purpose. The texts are not properly escaped. Version 2.0-M5 fixes this issue.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/alfio-event/alf.io/commit/e7131c588f4ac31067a41d0e31e6a6a721b2ff4b Patch
https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:alf:alf:*:*:*:*:*:*:*:*
History

30 Sep 2024, 12:48

Type Values Removed Values Added
First Time Alf
Alf alf
CPE cpe:2.3:a:alf:alf:*:*:*:*:*:*:*:*
References () https://github.com/alfio-event/alf.io/commit/e7131c588f4ac31067a41d0e31e6a6a721b2ff4b - () https://github.com/alfio-event/alf.io/commit/e7131c588f4ac31067a41d0e31e6a6a721b2ff4b - Patch
References () https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw - () https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw - Exploit, Third Party Advisory
Summary
  • (es) alf.io es un sistema de reserva de entradas de código abierto para conferencias, ferias comerciales, talleres y reuniones. Antes de la versión 2.0-M5, los datos precargados como json no se escapaban correctamente, y el administrador o administrador de eventos podía interrumpir su propia instalación insertando texto que no se escapaba correctamente. La directiva Content-Security-Policy bloquea cualquier posible ejecución de script. El administrador o administrador de eventos puede anular los textos para fines de personalización. Los textos no se escapan correctamente. La versión 2.0-M5 corrige este problema.

06 Sep 2024, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-06 13:15

Updated : 2024-09-30 12:48

NVD link : CVE-2024-45299

Mitre link : CVE-2024-45299

CVE.ORG link : CVE-2024-45299

JSON object : View

Products Affected

alf

  • alf
CWE
CWE-116

Improper Encoding or Escaping of Output