CVE-2025-13742
📋 TL;DR
This vulnerability in pretix allows attackers to inject HTML/Markdown content into emails by using maliciously formatted attendee names. While XSS attacks are prevented by HTML allow-listing, attackers can manipulate emails to make user-provided content appear trustworthy for phishing campaigns. Organizations using pretix for event ticketing are affected.
💻 Affected Systems
- pretix
📦 What is this software?
Pretix by Pretix
Pretix by Pretix
Pretix by Pretix
⚠️ Risk & Real-World Impact
Worst Case
Successful phishing campaigns leading to credential theft, financial fraud, or malware distribution by making malicious content appear as legitimate pretix communications.
Likely Case
Attendees receiving emails with unexpected links or formatted content that appears legitimate, potentially leading to phishing clicks or confusion.
If Mitigated
Limited to minor formatting anomalies in emails without security impact due to HTML allow-listing preventing script execution.
🎯 Exploit Status
Exploitation requires creating an attendee with maliciously formatted name, which is trivial. No authentication bypass needed beyond normal attendee registration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.9.1
Vendor Advisory: https://pretix.eu/about/en/blog/20251126-release-2025-9-1/
Restart Required: No
Instructions:
1. Backup your pretix installation and database. 2. Update pretix to version 2025.9.1 or later using your package manager or deployment method. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Sanitize attendee names
allImplement input validation to strip HTML/Markdown formatting from attendee names during registration
Custom implementation required based on deployment
Disable name placeholders
allModify email templates to remove {name} and similar placeholders that use attendee-provided data
Edit email templates in pretix admin interface
🧯 If You Can't Patch
- Implement email content filtering to strip HTML from outgoing emails containing attendee data
- Monitor for unusual email formatting patterns and investigate attendee registrations with HTML-like names
🔍 How to Verify
Check if Vulnerable:
Check if pretix version is earlier than 2025.9.1 and test by registering with name containing HTML tags like <b>test</b> to see if formatting appears in emails.Check Version:
python -c "import pretix; print(pretix.__version__)" or check pretix admin interfaceVerify Fix Applied:
After updating to 2025.9.1 or later, test with HTML-formatted names to confirm formatting is stripped from emails.📡 Detection & Monitoring
Log Indicators:
- Attendee registrations with HTML tags in name fields
- Unusual email formatting patterns in outbound email logs
Network Indicators:
- Emails from pretix containing unexpected HTML formatting
SIEM Query:
source="pretix" AND (event="registration" AND name CONTAINS "<" OR name CONTAINS ">")