CVE-2023-28458: 
Python vulnerability analysis and mitigation

CVE-2023-28458 affects pretalx versions 2.3.1 and earlier, specifically its HTML export feature (a non-default functionality). The vulnerability was discovered by Sonar researchers and disclosed on March 7, 2023. The issue allows organizers to trigger the overwriting of arbitrary files with the standard pretalx 404 page content through path traversal in the HTML export feature (Sonar Blog, Vendor Advisory).

The vulnerability is classified as a path traversal issue (CWE-22) with a CVSS v3.1 base score of 4.3 (MEDIUM), vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue exists in the HTML export functionality where the application fails to properly validate file paths during the export process. The vulnerability could be exploited by using path traversal sequences (../) to write files outside the intended directory (NVD).

The vulnerability allows authenticated organizers to overwrite arbitrary files on the server with the standard pretalx 404 page content. When running in debug mode, the vulnerability could potentially lead to remote code execution. The impact is particularly concerning for self-hosted instances running in development mode (Vendor Advisory).

The vulnerability was patched in pretalx version 2.3.2, released on March 7, 2023. The fix includes proper path validation to prevent directory traversal by ensuring that the final path remains within the intended destination folder. Users are strongly advised to upgrade to version 2.3.2 or later. The SaaS platform pretalx.com was immediately patched upon disclosure (GitHub Patch, Vendor Advisory).