{"id":"CVE-2024-45299","summary":"alf.io's preloaded data as json is not escaped correctly","details":"alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The Content-Security-Policy directive blocks any potential script execution. The administrator or event administrator can override the texts for customization purpose. The texts are not properly escaped. Version 2.0-M5 fixes this issue.","aliases":["GHSA-mcx6-25f8-8rqw"],"modified":"2026-04-10T05:16:49.807689Z","published":"2024-09-06T13:00:47.419Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45299.json","cwe_ids":["CWE-116"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45299.json"},{"type":"ADVISORY","url":"https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45299"},{"type":"FIX","url":"https://github.com/alfio-event/alf.io/commit/e7131c588f4ac31067a41d0e31e6a6a721b2ff4b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/alfio-event/alf.io","events":[{"introduced":"0"},{"fixed":"b69d9db08cd8b82ec82ad4d3d1673abc1aab68da"}]}],"versions":["1.10","1.10-RC1","1.10-RC2","1.10.1","1.11","1.12","1.12-RC1","1.12-RC2","1.12-RC3","1.12-RC4","1.13","1.13-RC1","1.13-RC2","1.13-RC3","1.14","1.14-RC1","1.14-RC2","1.14.1","1.4","1.4-RC2","1.4.1","1.5","1.6","1.7","1.8","1.8-RC1","1.8-RC2","1.9","1.9.1","2.0-M0","2.0-M1","2.0-M1-1906","2.0-M1-1906.1","2.0-M2","2.0-M3","2.0-M4","2.0-M4-2204","2.0-M4-2301","2.0-M4-2304","2.0-M4.RC1","2.0-M4.RC2","2.0-M4.RC3","2.0-M4.RC4","alfio-1.1","alfio-1.2","alfio-1.3","alfio-1.3-beta1","alfio-1.3.1","v1.0-pre-rename","v1.0-pre-rename-v2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45299.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"}]}