CVE-2023-27891

Vulnerability

Description

CVE-2023-27893 is a session validation flaw in pretix, a ticket sales platform. During OAuth authorization, pretix checks the user's session only at the start of the flow, but does not re-validate it at the moment of approval. This means a user can confirm an OAuth application authorization even after their session has expired (typically after 12 hours of inactivity, up to a 14-day general session limit) [2]. The root cause is that the authorization dialog does not enforce session freshness, allowing stale sessions to authorize new OAuth clients.

Exploitation

Prerequisites

Exploitation requires the attacker to have physical or remote access to a victim's browser (or possession of a session cookie) that was recently used to log into pretix. The victim must have left a session open past the 12-hour timeout but within the 14-day window. The attacker cannot compromise random accounts remotely; they must already have access to a device with a retrospectively timed-out session [2]. Every time a new OAuth app is authorized, pretix sends an email notification to the account owner, which makes silent exploitation difficult but possible if the email is overlooked [2].

Impact

If successfully exploited, an attacker can silently authorize a malicious OAuth application linked to the victim's pretix account. This gives the third-party application access to all data the victim can see within pretix (e.g., ticket orders, event details, attendee information) via the API. The attacker could then exfiltrate data, modify events, or perform other actions permitted by the OAuth scopes the application requests [2].

Mitigation

The issue is fixed in pretix versions 4.15.1, 4.16.1, and 4.17.1 [1][2]. Users of the pretix Hosted service were notified directly. Users of self-hosted instances should update immediately to one of the patched releases. There is no known workaround other than upgrading [2].