CVE-2024-45299

MEDIUM

alf.io <2.0-M5 - XSS

Title source: llm

Description

alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The Content-Security-Policy directive blocks any potential script execution. The administrator or event administrator can override the texts for customization purpose. The texts are not properly escaped. Version 2.0-M5 fixes this issue.

References (2)

[Exploit, Third Party Advisory] https://github.com/alfio-event/alf.io/security/advisories/GHSA-mcx6-25f8-8rqw

[Patch] https://github.com/alfio-event/alf.io/commit/e7131c588f4ac31067a41d0e31e6a6a721b2ff4b

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0019

EPSS Percentile 40.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-116

Status published

Products (1)

alf/alf < 2.0-m5

Published Sep 06, 2024

Tracked Since Feb 18, 2026