CVE-2024-45299

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45299
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The Content-Security-Policy directive blocks any potential script execution. The administrator or event administrator can override the texts for customization purpose. The texts are not properly escaped. Version 2.0-M5 fixes this issue.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/alfio-event/alf.io/commit/e7131c588f4ac31067a41d0e31e6a6a721b2ff4b Patch
https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:alf:alf:*:*:*:*:*:*:*:*
History

30 Sep 2024, 12:48

Type Values Removed Values Added
Summary
  • (es) alf.io es un sistema de reserva de entradas de código abierto para conferencias, ferias comerciales, talleres y reuniones. Antes de la versión 2.0-M5, los datos precargados como json no se escapaban correctamente, y el administrador o administrador de eventos podía interrumpir su propia instalación insertando texto que no se escapaba correctamente. La directiva Content-Security-Policy bloquea cualquier posible ejecución de script. El administrador o administrador de eventos puede anular los textos para fines de personalización. Los textos no se escapan correctamente. La versión 2.0-M5 corrige este problema.
CPE cpe:2.3:a:alf:alf:*:*:*:*:*:*:*:*
References () https://github.com/alfio-event/alf.io/commit/e7131c588f4ac31067a41d0e31e6a6a721b2ff4b - () https://github.com/alfio-event/alf.io/commit/e7131c588f4ac31067a41d0e31e6a6a721b2ff4b - Patch
References () https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw - () https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw - Exploit, Third Party Advisory
First Time Alf alf
Alf

06 Sep 2024, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-06 13:15

Updated : 2024-09-30 12:48

NVD link : CVE-2024-45299

Mitre link : CVE-2024-45299

CVE.ORG link : CVE-2024-45299

JSON object : View

Products Affected

alf

  • alf
CWE
CWE-116

Improper Encoding or Escaping of Output


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024