[GHSA-45rp-q25w-4426] pretix Stored Cross-site Scripting vulnerability

[p-w]

Updates

• Affected products
• CVSS
• Severity

Comments
Even though <script> tags could be inserted into the control panel using this vulnerability, they wouldn't be executed by the browser, due to a Content Security Policy blocking inline and remote scripts. Therefore, the security impact on a typical pretix installation is low.

[shelbyc]

Hi @p-w, thank you for sharing your concerns about the severity assessment in the CVE record for GHSA-45rp-q25w-4426/CVE-2024-8113. The CVE Numbering Authority that issued the CVE and assessed the vulnerability's severity, rami.io, is also the owner of pretix. I recommend sharing your concerns about the CVSS value by reaching out to rami at the email provided in their CNA Partner profile, security@rami.io.

rami.io also chose to use a CVSS 4.0 score for CVE-2024-8113. CVSS 4.0 sometimes scores vulnerabilities at a higher or lower severity than CVSS 3.1, especially when supplemental metrics are used in the scoring process. If you have time and would like to learn more about the CVSS 4.0 score for CVE-2024-8113 or CVSS 4.0 more generally, visiting https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/RE:L/U:Green to toggle the metrics and see how the score changes is a good way to get a sense of the new scoring system.

Thanks for listening to my enthusiasm about learning about CVSS 4.0 and have a great week! 😃

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.