CVE-2024-45299: Alf.io Ticket Reservation System Preloaded Data Vulnerability Fixed in Version 2.-M5

Alf.io is an open-source ticket reservation system designed to simplify event management for conferences, trade shows, workshops, and meetups. However, in versions prior to 2.-M5, it was discovered that preloaded data JSON was not escaped correctly. This could potentially cause problems for administrators and event managers by breaking their own installation if they insert incorrectly escaped text. Fortunately, the Content-Security-Policy directive blocks any potential script execution.

Exploit Details

In alf.io versions before 2.-M5, administrators or event managers could customize the default text for their event. Due to the incorrect escaping of JSON, the system may not function properly if non-properly escaped text is inserted. Content-Security-Policy (CSP) does provide protection by blocking any possible script execution.

Here is a code snippet that demonstrates this vulnerability

{
  "event": {
    "title": "My Event</script><script>alert('XSS')</script>",
    "description": "This is a </script><script>alert('XSS')</script> event."
  }
}

In this example, both the title and description fields include non-correctly escaped HTML tags (</script><script>alert('XSS')</script>). If such text were to be inserted, it may cause the alf.io system to malfunction.

For more details on this vulnerability, you can refer to the following sources

- The official alf.io repository on GitHub: https://github.com/alfio-event/alf.io
- The alf.io release notes, which mention the issue and release of version 2.-M5 that fixes the vulnerability: https://alf.io/documentation/release-notes#v2.-M5

Solution

The alf.io team has fixed this issue in version 2.-M5. It is recommended that all users of alf.io should upgrade to the latest version to ensure their systems are not vulnerable to this issue. You can download the update here: https://alf.io/download

In conclusion, it is crucial to ensure that all systems using the alf.io ticket reservation system are updated to version 2.-M5 or later to mitigate the risk of this vulnerability. By doing so, event managers and administrators can be confident that their installations are secure and functioning correctly.

Timeline

Published on: 09/06/2024 13:15:05 UTC
Last modified on: 09/30/2024 12:48:22 UTC