VYPR
← All advisories
High severityNVD Advisory· Published Apr 20, 2023· Updated Feb 5, 2025

CVE-2023-28459

CVE-2023-28459

Description

Pretalx 2.3.1 has a path traversal vulnerability in its HTML export feature, allowing arbitrary file read via crafted uploaded HTML documents.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pretalx 2.3.1 has a path traversal vulnerability in its HTML export feature, allowing arbitrary file read via crafted uploaded HTML documents.

Vulnerability

Overview CVE-2023-28459 is a path traversal vulnerability in the HTML export feature of pretalx versions 2.3.1 and earlier [2]. This non-default feature allows organizers to export all event pages as a static HTML archive. The bug enables an attacker with file upload privileges to craft HTML documents that, when processed during export, cause the server to include arbitrary files from the filesystem [1][4].

Exploitation

Details To exploit this vulnerability, an attacker must be able to upload files as part of the conference submission or speaker material process. The HTML export must be enabled by the organizer. Upon triggering the export, the malicious HTML file references a path (e.g., via an iframe or object tag) that traverses directories to read sensitive files like configuration files, database credentials, or other users' uploaded data [1][4].

Impact

Successful exploitation allows an attacker to read arbitrary files that the pretalx process has access to, leading to information disclosure. The attacker could potentially exfiltrate sensitive data such as speaker details, unpublished research, or server secrets. Additionally, the vulnerability was reported to also allow limited file writes (overwriting files with the default 404 page content) [1][4].

Mitigation

The vulnerability was responsibly disclosed by SonarSource researchers and patched in pretalx version 2.3.2, released on March 7, 2023 [4]. Self-hosted instances should update immediately; pretalx.com was already secured. No known exploitation has been reported [4].

References
  1. Pretalx Vulnerabilities: How to get accepted at every conference
  2. NVD - CVE-2023-28459
  3. pretalx.com – Security release v2.3.2

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pretalxPyPI
< 2.3.22.3.2

Affected products

2

Patches

1
60722c43cf97

Fix path traversal in static HTML export

https://github.com/pretalx/pretalxTobias KunzeMar 7, 2023via ghsa
commit
1 file changed · +11 1
  • src/pretalx/agenda/management/commands/export_schedule_html.py+11 1 modified
    @@ -115,7 +115,9 @@ def dump_content(destination, path, getter):
     if path.endswith("/"):
         path = path + "index.html"
 
-    path = Path(destination) / path.lstrip("/")
+    path = (Path(destination) / path.lstrip("/")).resolve()
+    if not Path(destination) in path.parents:
+        raise CommandError("Path traversal detected, aborting.")
     path.parent.mkdir(parents=True, exist_ok=True)
 
     with open(path, "wb") as f:
@@ -131,6 +133,14 @@ def get_mediastatic_content(url):
     else:
         raise FileNotFoundError()
 
+    # Prevent directory traversal, make sure the path is inside the media or static root
+    local_path = local_path.resolve(strict=True)
+    if not any(
+        path in local_path.parents
+        for path in (settings.MEDIA_ROOT, settings.STATIC_ROOT)
+    ):
+        raise FileNotFoundError()
+
     with open(local_path, "rb") as f:
         return f.read()

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

1