CVE-2023-28458
Description
Pretalx 2.3.1 and earlier allow path traversal during HTML export, enabling organizers to overwrite arbitrary files on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pretalx 2.3.1 and earlier allow path traversal during HTML export, enabling organizers to overwrite arbitrary files on the server.
Vulnerability
CVE-2023-28458 is a path traversal vulnerability in pretalx 2.3.1 before 2.3.2, affecting the off-by-default HTML export functionality. The export feature creates a zip archive of event pages, including user-uploaded files like presentations. Due to insufficient input validation, an organizer can craft an uploaded HTML file containing path traversal sequences (e.g., ../). When the export is generated, pretalx follows these sequences to read arbitrary files from the server [1][4].
Exploitation
To exploit this vulnerability, an attacker must have organizer-level access to a pretalx instance. The attack starts by uploading a malicious HTML file as part of a talk submission. Later, when the organizer triggers the HTML export, the traversal payload causes pretalx to include arbitrary files in the exported archive. The same mechanism also allows the attacker to overwrite (not read) arbitrary files with the content of pretalx's standard 404 page [1][4]. No authentication bypass is required; the attacker simply leverages their existing organizer privileges.
Impact
An attacker exploiting CVE-2023-28458 can read sensitive files from the pretalx server, such as configuration files containing database credentials or secret keys, potentially leading to further compromise. Additionally, the file write capability could overwrite application files or system resources, though the 404 page content limits this vector. On self-hosted instances, this elevates an organizer's privileges to potentially full server access, depending on the file system permissions [1][2].
Mitigation
Pretalx released version 2.3.2 on March 7, 2023, which fixes this vulnerability by properly validating file paths during HTML export. Users of pretalx.com are automatically protected. Self-hosted instances should update to 2.3.2 or later immediately. No workarounds are available; the vulnerability is closed only by upgrading [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pretalxPyPI | >= 2.3.1, < 2.3.2 | 2.3.2 |
Affected products
2Patches
160722c43cf97Fix path traversal in static HTML export
1 file changed · +11 −1
src/pretalx/agenda/management/commands/export_schedule_html.py+11 −1 modified@@ -115,7 +115,9 @@ def dump_content(destination, path, getter): if path.endswith("/"): path = path + "index.html" - path = Path(destination) / path.lstrip("/") + path = (Path(destination) / path.lstrip("/")).resolve() + if not Path(destination) in path.parents: + raise CommandError("Path traversal detected, aborting.") path.parent.mkdir(parents=True, exist_ok=True) with open(path, "wb") as f: @@ -131,6 +133,14 @@ def get_mediastatic_content(url): else: raise FileNotFoundError() + # Prevent directory traversal, make sure the path is inside the media or static root + local_path = local_path.resolve(strict=True) + if not any( + path in local_path.parents + for path in (settings.MEDIA_ROOT, settings.STATIC_ROOT) + ): + raise FileNotFoundError() + with open(local_path, "rb") as f: return f.read()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-23fx-92m6-4f2gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28458ghsaADVISORY
- github.com/pretalx/pretalx/commit/60722c43cf975f319e94102e6bff320723776890ghsaWEB
- github.com/pretalx/pretalx/releases/tag/v2.3.2ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/pretalx/PYSEC-2023-40.yamlghsaWEB
- pretalx.com/p/news/security-release-232ghsaWEB
- www.sonarsource.com/blog/pretalx-vulnerabilities-how-to-get-accepted-at-every-conferenceghsaWEB
- pretalx.com/p/news/security-release-232/mitre
- www.sonarsource.com/blog/pretalx-vulnerabilities-how-to-get-accepted-at-every-conference/mitre
News mentions
1- Weekly Metasploit Update: Apache ActiveMQ RCE, Gogs Rebase RCE, and Windows Kernel Pointer EnumRapid7 Blog · Jun 5, 2026