{"id":"CVE-2024-8113","details":"Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.","aliases":["GHSA-45rp-q25w-4426","PYSEC-2024-180"],"modified":"2026-04-10T05:19:46.981736Z","published":"2024-08-23T15:15:17.593Z","references":[{"type":"ADVISORY","url":"https://pretix.eu/about/en/blog/20240823-release-2024-7-1/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pretix/pretix","events":[{"introduced":"0"},{"last_affected":"a692940397f99261822688c3957cc6f66f6f95fd"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2024.7.0"}]}}],"versions":["1.0.0","1.0.0b1","1.0.0b2","s","v1.1.0","v1.10.0","v1.11.0","v1.12.0","v1.13.0","v1.14.0","v1.15.0","v1.16.0","v1.17.0","v1.2.0","v1.3.0","v1.4.0","v1.5.0","v1.6.0","v1.7.0","v1.8.0","v1.9.0","v2.0.0","v2.1.0","v2.2.0","v2.3.0","v2.4.0","v2.5.0","v2.6.0","v2.7.0","v2.8.0","v2023.10.0","v2023.6.0","v2023.7.0","v2023.8.0","v2023.9.0","v2024.1.0","v2024.2.0","v2024.3.0","v2024.4.0","v2024.5.0","v2024.6.0","v2024.7.0","v3.0.0","v3.1.0","v3.10.0","v3.11.0","v3.13.0","v3.14.0","v3.15.0","v3.16.0","v3.17.0","v3.18.0","v3.2.0","v3.3.0","v3.4.0","v3.5.0","v3.6.0","v3.7.0","v3.8.0","v3.9.0","v4.0.0","v4.1.0","v4.10.0","v4.11.0","v4.13.0","v4.14.0","v4.15.0","v4.16.0","v4.17.0","v4.18.0","v4.19.0","v4.2.0","v4.20.0","v4.3.0","v4.5.0","v4.6.0","v4.7.0","v4.8.0","v4.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-8113.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}