CVE-2024-45300

Published: Sep 6, 2024

Modified: Sep 6, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, a race condition allows the user to bypass the limit on the number of promo codes and use the discount coupon multiple times. In "alf.io", an event organizer can apply price discounts by using promo codes to your events. The organizer can limit the number of promo codes that will be used for this, but the time-gap between checking the number of codes and restricting the use of the codes allows a threat actor to bypass the promo code limit. Version 2.0-M5 fixes this issue.

Vendor	Product	Versions
alfio-event	alf.io	affected `< 2.0-M5`

Weaknesses (CWE)

CWE-362

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/alfio-event/alf.io/security/advisories/GHSA-67jg-m6f3-473g

x_refsource_CONFIRM

https://github.com/alfio-event/alf.io/commit/53b3309e26e8acec6860d1e045df3046153a3245

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-45300

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References