CVE-2023-44464: 
Python vulnerability analysis and mitigation

CVE-2023-44464 affects pretix versions prior to 2023.7.2, allowing Pillow to parse EPS files. The vulnerability was discovered and reported privately to pretix, leading to a security release on September 12, 2023. The issue affects all pretix installations from version 1.0.0 until 2023.7.1 (Vendor Advisory).

The vulnerability stems from insufficient validation of image file formats during upload. While pretix validates file extensions and image data validity, it did not verify that the image data matched allowed formats. This made it possible for attackers to rename EPS files to '.png' and successfully upload them. The image processing library used by pretix delegates EPS file parsing to Ghostscript, which has known security vulnerabilities due to legacy feature support spanning its 35-year history (Vendor Advisory). The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to remote code execution through Ghostscript when processing maliciously crafted EPS files. Images can be uploaded with almost any level of backend access, as well as through the 'Questions' feature when events allow file uploads from customers (Vendor Advisory).

The vulnerability has been fixed in pretix versions 2023.7.3, 2023.6.3, and 4.20.4. Organizations running older versions should upgrade to a recent version immediately. For customers using pretix Hosted service, the vulnerability has already been patched with no action required (Vendor Advisory).