Cyber Resilience

CVE-2023-28458

MediumPublic PoC

Published: 20 April 2023

Published
20 April 2023
Modified
05 February 2025
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.7680 99.0th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28458 is a medium-severity Path Traversal (CWE-22) vulnerability in Pretalx Pretalx. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-28458 is a path traversal vulnerability in the pretalx event management system, specifically affecting versions 2.3.1 prior to 2.3.2. It resides in the non-default HTML export feature and stems from improper handling of file paths (CWE-22), enabling an authenticated user to cause an arbitrary file on the server to be overwritten with the contents of pretalx's standard 404 error page.

The issue can be exploited by conference organizers who have access to the HTML export functionality. By supplying a crafted path, an attacker can overwrite any file writable by the pretalx process, resulting in limited integrity impact without affecting confidentiality or availability. The vulnerability carries a CVSS 3.1 base score of 4.3, reflecting its network-accessible but low-privilege and low-impact nature.

Public references, including the pretalx security release announcement and the associated GitHub commit, indicate that the flaw is resolved in version 2.3.2. Administrators are advised to upgrade promptly, after which the HTML export feature no longer permits traversal to arbitrary paths.

The EPSS score has remained near its recorded peak of 0.7784 with a current value of 0.7680, indicating sustained but not sharply increasing exploitation interest since disclosure.

EU & UK References

Vulnerability details

pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Organizers can trigger the overwriting (with the standard pretalx 404 page content) of an arbitrary file.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pretalx
pretalx
≤ 2.3.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References