{"url":"http://public2.vulnerablecode.io/api/packages/32462?format=json","purl":"pkg:pypi/pretix@1.0.0b1","type":"pypi","namespace":"","name":"pretix","version":"1.0.0b1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2023.7.2","latest_non_vulnerable_version":"2026.3.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36560?format=json","vulnerability_id":"VCID-23sx-2a61-cqfp","summary":"An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.","references":[{"reference_url":"https://github.com/pretix/pretix","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pretix/pretix"},{"reference_url":"https://github.com/pretix/pretix/commit/ccdce2ccb8207b82501af3c03f50abc0f819b469","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pretix/pretix/commit/ccdce2ccb8207b82501af3c03f50abc0f819b469"},{"reference_url":"https://github.com/pretix/pretix/compare/v2023.7.0...v2023.7.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pretix/pretix/compare/v2023.7.0...v2023.7.1"},{"reference_url":"https://github.com/pretix/pretix/tags","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pretix/pretix/tags"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2023-187.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2023-187.yaml"},{"reference_url":"https://pretix.eu/about/en/blog/20230911-release-2023-7-1","reference_id":"","reference_type":"","scores":[],"url":"https://pretix.eu/about/en/blog/20230911-release-2023-7-1"},{"reference_url":"https://pretix.eu/about/en/blog/20230911-release-2023-7-1/","reference_id":"","reference_type":"","scores":[],"url":"https://pretix.eu/about/en/blog/20230911-release-2023-7-1/"},{"reference_url":"https://pretix.eu/about/en/ticketing","reference_id":"","reference_type":"","scores":[],"url":"https://pretix.eu/about/en/ticketing"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44463","reference_id":"CVE-2023-44463","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44463"},{"reference_url":"https://github.com/advisories/GHSA-j9gq-w73w-9h6c","reference_id":"GHSA-j9gq-w73w-9h6c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j9gq-w73w-9h6c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36211?format=json","purl":"pkg:pypi/pretix@2023.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-33va-vuxq-bbc6"},{"vulnerability":"VCID-dvc4-fezc-gufm"},{"vulnerability":"VCID-jh6j-yq6e-cuad"},{"vulnerability":"VCID-wxjm-jcgw-qydn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pretix@2023.7.1"}],"aliases":["CVE-2023-44463","GHSA-j9gq-w73w-9h6c","PYSEC-2023-187"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-23sx-2a61-cqfp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36858?format=json","vulnerability_id":"VCID-33va-vuxq-bbc6","summary":"Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.","references":[{"reference_url":"https://pretix.eu/about/en/blog/20240823-release-2024-7-1/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://pretix.eu/about/en/blog/20240823-release-2024-7-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42572?format=json","purl":"pkg:pypi/pretix@2024.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dvc4-fezc-gufm"},{"vulnerability":"VCID-jh6j-yq6e-cuad"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pretix@2024.7.1"}],"aliases":["CVE-2024-8113","PYSEC-2024-180"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-33va-vuxq-bbc6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36396?format=json","vulnerability_id":"VCID-v9fw-cvvw-jkcw","summary":"rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.","references":[{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2023-42.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2023-42.yaml"},{"reference_url":"https://github.com/thufschmitt/pretix-nix","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/thufschmitt/pretix-nix"},{"reference_url":"https://pretix.eu/about/en/blog/20230306-release-4171","reference_id":"","reference_type":"","scores":[],"url":"https://pretix.eu/about/en/blog/20230306-release-4171"},{"reference_url":"https://pretix.eu/about/en/blog/20230306-release-4171/","reference_id":"","reference_type":"","scores":[],"url":"https://pretix.eu/about/en/blog/20230306-release-4171/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27891","reference_id":"CVE-2023-27891","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27891"},{"reference_url":"https://github.com/advisories/GHSA-r76w-3wwq-jv6v","reference_id":"GHSA-r76w-3wwq-jv6v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-r76w-3wwq-jv6v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32570?format=json","purl":"pkg:pypi/pretix@4.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23sx-2a61-cqfp"},{"vulnerability":"VCID-33va-vuxq-bbc6"},{"vulnerability":"VCID-dvc4-fezc-gufm"},{"vulnerability":"VCID-v9fw-cvvw-jkcw"},{"vulnerability":"VCID-wxjm-jcgw-qydn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pretix@4.15.1"},{"url":"http://public2.vulnerablecode.io/api/packages/32572?format=json","purl":"pkg:pypi/pretix@4.16.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23sx-2a61-cqfp"},{"vulnerability":"VCID-33va-vuxq-bbc6"},{"vulnerability":"VCID-dvc4-fezc-gufm"},{"vulnerability":"VCID-jh6j-yq6e-cuad"},{"vulnerability":"VCID-v9fw-cvvw-jkcw"},{"vulnerability":"VCID-wxjm-jcgw-qydn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pretix@4.16.1"},{"url":"http://public2.vulnerablecode.io/api/packages/32574?format=json","purl":"pkg:pypi/pretix@4.17.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23sx-2a61-cqfp"},{"vulnerability":"VCID-33va-vuxq-bbc6"},{"vulnerability":"VCID-dvc4-fezc-gufm"},{"vulnerability":"VCID-jh6j-yq6e-cuad"},{"vulnerability":"VCID-wxjm-jcgw-qydn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pretix@4.17.1"}],"aliases":["CVE-2023-27891","GHSA-r76w-3wwq-jv6v","PYSEC-2023-42"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v9fw-cvvw-jkcw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36738?format=json","vulnerability_id":"VCID-wxjm-jcgw-qydn","summary":"pretix before 2024.1.1 mishandles file validation.","references":[{"reference_url":"https://github.com/pretix/pretix","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pretix/pretix"},{"reference_url":"https://github.com/pretix/pretix/compare/v2023.10.2...v2024.1.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pretix/pretix/compare/v2023.10.2...v2024.1.1"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2024-253.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2024-253.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27447","reference_id":"CVE-2024-27447","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27447"},{"reference_url":"https://github.com/advisories/GHSA-672r-97r7-vx2q","reference_id":"GHSA-672r-97r7-vx2q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-672r-97r7-vx2q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40208?format=json","purl":"pkg:pypi/pretix@2024.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-33va-vuxq-bbc6"},{"vulnerability":"VCID-dvc4-fezc-gufm"},{"vulnerability":"VCID-jh6j-yq6e-cuad"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pretix@2024.1.1"}],"aliases":["CVE-2024-27447","GHSA-672r-97r7-vx2q","PYSEC-2024-253"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wxjm-jcgw-qydn"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pretix@1.0.0b1"}