Products
alf.io
- before 2.0-M5
Source
security-advisories@github.com
Tags
CVE-2024-45299 details
Last Modified : Sept. 6, 2024, 4:46 p.m.
Description
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The Content-Security-Policy directive blocks any potential script execution. The administrator or event administrator can override the texts for customization purpose. The texts are not properly escaped. Version 2.0-M5 fixes this issue.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6.5 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-116 | Improper Encoding or Escaping of Output | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
6.5
Exploitability Score
1.2
Impact Score
5.2
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
References
| URL | Source |
|---|---|
| https://github.com/alfio-event/alf.io/commit/e7131c588f4ac31067a41d0e31e6a6a721b2ff4b | security-advisories@github.com |
| https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw | security-advisories@github.com |