Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-13602

Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-20 Validación incorrecta de entrada
Fecha de publicación:
01/07/2026
Última modificación:
02/07/2026

Descripción

*** Pendiente de traducción *** We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> * <br /> <br /> <br /> The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay<br /> contain a code path that is intended for the transport of session <br /> parameters from a tab with isolated cookies (e.g. in the pretix widget) <br /> to a new tab. For this purpose, a set of session parameters is <br /> cryptographically signed and then passed to the new tab as a URL <br /> parameter. The plugins perform no further validation of the session <br /> parameters, other than the cryptographic signature being valid. This is <br /> fixed with the releases issued today by strictly validating that no <br /> session parameters outside of the scope of the respective plugin may be <br /> set.<br /> <br /> <br /> <br /> <br /> * <br /> <br /> <br /> An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer<br /> headers for outgoing links to prevent leakage of secrets in URLs. This <br /> redirect page also requires cryptographically signed parameters. <br /> Unfortunately, it uses the same key and salt for the signature as the <br /> previously mentioned feature in the payment integration plugins. A <br /> motivated attacker with access to at least one event in the backend can <br /> trick the system into cryptographically signing arbitrary content using <br /> specially crafted links. In combination with the previous issue, the <br /> attacker could use this to set and modify arbitrary parameters on their <br /> user session by injecting the signed parameters into the feature of the <br /> payment providers. This is fixed with the releases issued today by using<br /> different salts for the signature for each plugin and feature.<br /> <br /> <br /> <br /> <br /> * <br /> <br /> <br /> A third, unrelated feature in the core system is used for admin users<br /> to act on behalf of another user, mostly for debugging purposes. With <br /> being able to insert arbitrary parameters into a session, an attacker <br /> can abuse this feature to change their session from their actual user to<br /> any user in the system by guessing a valid user ID. This is fixed with<br /> the release today by requiring unguessable information to be contained <br /> in the session of the user to switch to.

Referencias a soluciones, herramientas e información