CVE-2026-13602
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-20
Validación incorrecta de entrada
Fecha de publicación:
01/07/2026
Última modificación:
02/07/2026
Descripción
*** Pendiente de traducción *** We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
* <br />
<br />
<br />
The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay<br />
contain a code path that is intended for the transport of session <br />
parameters from a tab with isolated cookies (e.g. in the pretix widget) <br />
to a new tab. For this purpose, a set of session parameters is <br />
cryptographically signed and then passed to the new tab as a URL <br />
parameter. The plugins perform no further validation of the session <br />
parameters, other than the cryptographic signature being valid. This is <br />
fixed with the releases issued today by strictly validating that no <br />
session parameters outside of the scope of the respective plugin may be <br />
set.<br />
<br />
<br />
<br />
<br />
* <br />
<br />
<br />
An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer<br />
headers for outgoing links to prevent leakage of secrets in URLs. This <br />
redirect page also requires cryptographically signed parameters. <br />
Unfortunately, it uses the same key and salt for the signature as the <br />
previously mentioned feature in the payment integration plugins. A <br />
motivated attacker with access to at least one event in the backend can <br />
trick the system into cryptographically signing arbitrary content using <br />
specially crafted links. In combination with the previous issue, the <br />
attacker could use this to set and modify arbitrary parameters on their <br />
user session by injecting the signed parameters into the feature of the <br />
payment providers. This is fixed with the releases issued today by using<br />
different salts for the signature for each plugin and feature.<br />
<br />
<br />
<br />
<br />
* <br />
<br />
<br />
A third, unrelated feature in the core system is used for admin users<br />
to act on behalf of another user, mostly for debugging purposes. With <br />
being able to insert arbitrary parameters into a session, an attacker <br />
can abuse this feature to change their session from their actual user to<br />
any user in the system by guessing a valid user ID. This is fixed with<br />
the release today by requiring unguessable information to be contained <br />
in the session of the user to switch to.
Impacto
Puntuación base 4.0
7.70
Gravedad 4.0
ALTA



