Overview
CVE-2025-13742 describes a potential vulnerability within the pretix event management system. Specifically, it involves the rendering of attendee names, which are dynamically inserted into email templates. While pretix employs an allow list for HTML tags to prevent XSS, the vulnerability allows for the injection of formatted text, including links, via a maliciously crafted attendee name. This could be leveraged for phishing attacks, where the injected content appears to originate from a trusted source (the event organizer).
Technical Details
pretix utilizes placeholders in email templates, such as {name}, which are replaced with customer data. The vulnerability arises because HTML or Markdown formatting present within the attendee’s name is rendered as HTML in the generated email. While pretix’s HTML allow list prevents the execution of malicious scripts, attackers can still inject HTML tags and attributes such as <a href="..."> to create deceptive links or format text to appear authentic. The key issue is the lack of sufficient sanitization of the attendee name before it’s inserted into the email template.
CVSS Analysis
Currently, this CVE is marked as N/A for severity and CVSS score. This is likely because the direct impact is not code execution, but rather the potential for social engineering. The severity is dependent on the likelihood and effectiveness of a phishing attack launched using this vulnerability. A CVSS score will likely be assigned based on factors such as user interaction required, scope, and confidentiality impact.
Possible Impact
The primary impact of CVE-2025-13742 is an increased risk of phishing attacks. An attacker could craft an attendee name that includes a malicious link. When pretix sends the confirmation or reminder email, the user might trust the link because it appears within an email originating from a legitimate event organizer. This could lead to users divulging sensitive information, installing malware, or other harmful actions.
Mitigation or Patch Steps
The recommended mitigation is to update to pretix version 2025.9.1 or later. This version includes a fix that properly sanitizes attendee names to prevent the injection of malicious HTML or Markdown formatting. Specifically, ensure the fix described in the pretix blog post is applied. In the meantime, as a workaround, carefully monitor attendee registrations for suspicious names containing HTML-like tags. Educating users on identifying potential phishing attempts related to event registrations is also crucial.
