VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 2, 2023· Updated Sep 23, 2024

CVE-2023-44463

CVE-2023-44463

Description

An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

pretix before 2023.7.1 trusts X-Forwarded-For headers due to incorrect configuration parsing, enabling IP spoofing.

Description

An issue in pretix before version 2023.7.1 allows IP address spoofing due to incorrect parsing of configuration files. The application trusts X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto headers even when the corresponding settings are explicitly set to off in the pretix.cfg file. The headers are only ignored if the configuration flags are absent entirely, meaning any presence of the flags—regardless of their value—causes the headers to be honored [1][4].

Exploitation

To exploit this vulnerability, an attacker must control the X-Forwarded-For header sent to the pretix application. This occurs when the reverse proxy configuration allows user-supplied headers to pass through without validation or stripping. The impact is amplified if an administrator has explicitly disabled the trust_x_forwarded_for setting with the intention of relying solely on the proxy for IP identification, yet the bug still treats the header as trusted [4].

Impact

Successfully spoofing the IP address allows an attacker to bypass IP-based rate limiting mechanisms within pretix. While pretix does not use the IP address for access control, some rate-limiting features depend on it. A higher impact could be possible if additional external access controls rely on host names or IP addresses derived from these headers [4].

Mitigation

The vulnerability is fixed in pretix versions 2023.7.1, 2023.6.1, and 4.20.2 [2][4]. Users of self-hosted pretix installations are strongly recommended to update immediately. Customers of the hosted pretix service are not affected. As a workaround, administrators should ensure reverse proxies are configured to remove or override untrusted X-Forwarded-* headers.

References
  1. NVD - CVE-2023-44463
  2. Comparing v2023.7.0...v2023.7.1 · pretix/pretix
  3. Security release 2023.7.1 of pretix

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pretixPyPI
< 2023.7.12023.7.1

Affected products

2

Patches

1
ccdce2ccb820

Fix incorrect handling of boolean configuration flags

https://github.com/pretix/pretixRaphael MichelSep 8, 2023via ghsa
commit
1 file changed · +3 3
  • src/pretix/settings.py+3 3 modified
    @@ -188,13 +188,13 @@
 
 CSRF_TRUSTED_ORIGINS = [urlparse(SITE_URL).scheme + '://' + urlparse(SITE_URL).hostname]
 
-TRUST_X_FORWARDED_FOR = config.get('pretix', 'trust_x_forwarded_for', fallback=False)
-USE_X_FORWARDED_HOST = config.get('pretix', 'trust_x_forwarded_host', fallback=False)
+TRUST_X_FORWARDED_FOR = config.getboolean('pretix', 'trust_x_forwarded_for', fallback=False)
+USE_X_FORWARDED_HOST = config.getboolean('pretix', 'trust_x_forwarded_host', fallback=False)
 
 
 REQUEST_ID_HEADER = config.get('pretix', 'request_id_header', fallback=False)
 
-if config.get('pretix', 'trust_x_forwarded_proto', fallback=False):
+if config.getboolean('pretix', 'trust_x_forwarded_proto', fallback=False):
     SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 
 PRETIX_PLUGINS_DEFAULT = config.get('pretix', 'plugins_default',

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.