Alf.io
by Alfio Event
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-35482 | Hig | 0.52 | 8.0 | 0.00 | Jun 2, 2026 | alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system… | ||
| CVE-2026-41412 | Med | 0.32 | 4.9 | 0.00 | Jun 2, 2026 | alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client (`simpleHttpClient`) into every extension script's scope. The… | ||
| CVE-2024-45300 | 0.00 | — | 0.00 | Sep 6, 2024 | alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, a race condition allows the user to bypass the limit on the number of promo codes and use the discount coupon multiple times. In "alf.io", an event… | |||
| CVE-2024-45299 | 0.00 | — | 0.01 | Sep 6, 2024 | alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped… | |||
| CVE-2024-25634 | 0.00 | — | 0.01 | Feb 19, 2024 | alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, an attacker can access data from other organizers. The attacker can use a specially crafted request to receive the e-mail log sent by other events. Version 2.0-M4-2402 fixes this issue. | |||
| CVE-2024-25635 | 0.00 | — | 0.01 | Feb 19, 2024 | alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the `http://192.168.26.128:8080/admin/api/users/<user_id>` endpoint, which exposes the details of the… | |||
| CVE-2024-25627 | 0.00 | — | 0.00 | Feb 16, 2024 | Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist… | |||
| CVE-2024-25628 | 0.00 | — | 0.00 | Feb 16, 2024 | Alf.io is a free and open source event attendance management system. In versions prior to 2.0-M4-2402 users can access the admin area even after being invalidated/deleted. This issue has been addressed in version 2.0-M4-2402. All users are advised to upgrade. There are no known… | |||
| CVE-2023-2258 | 0.00 | — | 0.01 | Apr 24, 2023 | Improper Neutralization of Formula Elements in a CSV File in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||
| CVE-2023-2259 | 0.00 | — | 0.01 | Apr 24, 2023 | Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||
| CVE-2023-2260 | 0.00 | — | 0.01 | Apr 24, 2023 | Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||
| CVE-2023-0300 | 0.00 | — | 0.00 | Jan 14, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository alfio-event/alf.io prior to 2.0-M4-2301. | |||
| CVE-2023-0301 | 0.00 | — | 0.00 | Jan 14, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository alfio-event/alf.io prior to Alf.io 2.0-M4-2301. |
- risk 0.52cvss 8.0epss 0.00
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system…
- risk 0.32cvss 4.9epss 0.00
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client (`simpleHttpClient`) into every extension script's scope. The…
- CVE-2024-45300Sep 6, 2024risk 0.00cvss —epss 0.00
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, a race condition allows the user to bypass the limit on the number of promo codes and use the discount coupon multiple times. In "alf.io", an event…
- CVE-2024-45299Sep 6, 2024risk 0.00cvss —epss 0.01
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped…
- CVE-2024-25634Feb 19, 2024risk 0.00cvss —epss 0.01
alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, an attacker can access data from other organizers. The attacker can use a specially crafted request to receive the e-mail log sent by other events. Version 2.0-M4-2402 fixes this issue.
- CVE-2024-25635Feb 19, 2024risk 0.00cvss —epss 0.01
alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the `http://192.168.26.128:8080/admin/api/users/<user_id>` endpoint, which exposes the details of the…
- CVE-2024-25627Feb 16, 2024risk 0.00cvss —epss 0.00
Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist…
- CVE-2024-25628Feb 16, 2024risk 0.00cvss —epss 0.00
Alf.io is a free and open source event attendance management system. In versions prior to 2.0-M4-2402 users can access the admin area even after being invalidated/deleted. This issue has been addressed in version 2.0-M4-2402. All users are advised to upgrade. There are no known…
- CVE-2023-2258Apr 24, 2023risk 0.00cvss —epss 0.01
Improper Neutralization of Formula Elements in a CSV File in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.
- CVE-2023-2259Apr 24, 2023risk 0.00cvss —epss 0.01
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.
- CVE-2023-2260Apr 24, 2023risk 0.00cvss —epss 0.01
Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.
- CVE-2023-0300Jan 14, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Reflected in GitHub repository alfio-event/alf.io prior to 2.0-M4-2301.
- CVE-2023-0301Jan 14, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository alfio-event/alf.io prior to Alf.io 2.0-M4-2301.