CVE-2025-14881

EPSS 0.06%

pretix has Broken Access Control Allowing Cross-User File Access via UUID

發布日:2025/12/19修改日:2025/12/20

描述

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

受影響套件(1)

PyPI/pretix>= 2025.10.0, < 2025.10.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-14881
PATCHhttps://github.com/pretix/pretix
WEBhttps://github.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a
WEBhttps://pretix.eu/about/en/blog/20251219-release-2025-10-1