CVE-2024-45299— alf.io's preloaded data as json is not escaped correctly
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-45299
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
alf.io's preloaded data as json is not escaped correctly
Source: NVD (National Vulnerability Database)
Vulnerability Description
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The Content-Security-Policy directive blocks any potential script execution. The administrator or event administrator can override the texts for customization purpose. The texts are not properly escaped. Version 2.0-M5 fixes this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对输出编码和转义不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
alf.io 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Alf.io是Alf.io开源的一款免费开源活动出席管理系统。 alf.io 2.0-M5之前版本存在安全漏洞,该漏洞源于预加载的json数据未正确转义,可能导致管理员或活动管理员插入未正确转义的文本破坏自身安装。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| alfio-event | alf.io | < 2.0-M5 | - |
II. Public POCs for CVE-2024-45299
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-45299
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: alf.io
- CVE-2024-45300
Bypassing promo code limitations with race conditions - CVE-2024-25634
IDOR make user can read e-mail log sent by other events - CVE-2024-25635
IDOR Vulnerability: Allowing Organization Owner to view the - CVE-2024-25627
Cross-Site Scripting (XSS) via File Upload in Alf.io - CVE-2024-25628
Insufficient Session Expiration in alf.io
Same vendor: alfio-event
- CVE-2024-45300
Bypassing promo code limitations with race conditions - CVE-2024-25634
IDOR make user can read e-mail log sent by other events - CVE-2024-25635
IDOR Vulnerability: Allowing Organization Owner to view the - CVE-2024-25627
Cross-Site Scripting (XSS) via File Upload in Alf.io - CVE-2024-25628
Insufficient Session Expiration in alf.io
Same weakness: CWE-116
- CVE-2026-42810
Apache Polaris: could broaden vended S3 credentials through - CVE-2026-42040
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLS - CVE-2026-40567
FreeScout has HTML Injection in Outgoing Emails via Unsaniti - CVE-2026-6058
Zyxel WRE6505 安全漏洞 - CVE-2026-20136
Cisco Identity Services Engine Authenticated Privilege Escal
V. Comments for CVE-2024-45299
No comments yet