CVE-2023-28459
Published: 20 April 2023
Summary
CVE-2023-28459 is a medium-severity Path Traversal (CWE-22) vulnerability in Pretalx Pretalx. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
pretalx versions prior to 2.3.2 contain a path traversal flaw in the non-default HTML export feature. The affected component permits users to upload HTML documents that are processed in a manner allowing the application to read arbitrary files from the underlying filesystem, as classified under CWE-22 with a CVSS 3.1 score of 6.5.
An authenticated user able to submit crafted HTML content can exploit the issue over the network with low attack complexity to disclose sensitive files, achieving high confidentiality impact without requiring user interaction or elevated privileges beyond standard upload rights.
The pretalx project addressed the vulnerability in release 2.3.2 via commit 60722c43cf975f319e94102e6bff320723776890, and the accompanying security advisory directs administrators to apply the update promptly. The SonarSource analysis further details the root cause and confirms the patch scope.
The EPSS score stands at 0.6294 with an identical peak value, reflecting sustained rather than newly emergent exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0206
Vulnerability details
pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Users were able to upload crafted HTML documents that trigger the reading of arbitrary files.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.