Cyber Resilience

CVE-2023-28459

MediumPublic PoC

Published: 20 April 2023

Published
20 April 2023
Modified
05 February 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.6294 98.4th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28459 is a medium-severity Path Traversal (CWE-22) vulnerability in Pretalx Pretalx. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

pretalx versions prior to 2.3.2 contain a path traversal flaw in the non-default HTML export feature. The affected component permits users to upload HTML documents that are processed in a manner allowing the application to read arbitrary files from the underlying filesystem, as classified under CWE-22 with a CVSS 3.1 score of 6.5.

An authenticated user able to submit crafted HTML content can exploit the issue over the network with low attack complexity to disclose sensitive files, achieving high confidentiality impact without requiring user interaction or elevated privileges beyond standard upload rights.

The pretalx project addressed the vulnerability in release 2.3.2 via commit 60722c43cf975f319e94102e6bff320723776890, and the accompanying security advisory directs administrators to apply the update promptly. The SonarSource analysis further details the root cause and confirms the patch scope.

The EPSS score stands at 0.6294 with an identical peak value, reflecting sustained rather than newly emergent exploitation interest after disclosure.

EU & UK References

Vulnerability details

pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Users were able to upload crafted HTML documents that trigger the reading of arbitrary files.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pretalx
pretalx
≤ 2.3.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References