CVE-2025-13742
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-27

Last updated on: 2025-12-30

Assigner: rami.io

Description
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-27
Last Modified
2025-12-30
Generated
2026-05-07
AI Q&A
2025-11-27
EPSS Evaluated
2026-05-05
NVD
CVE-2025-13742
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pretix pretix From 1.0.0 (inc) to 2025.7.2 (exc)
pretix pretix 2025.8.0
pretix pretix 2025.9.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs because pretix email templates use placeholders that are replaced with customer data, such as the buyer's name. If the attendee's name contains HTML or Markdown formatting, it is rendered as HTML in the final email. Although pretix restricts allowed HTML tags to prevent XSS or similar attacks, this allows a user to inject links or formatted text into emails, making user-provided content appear trustworthy and credible. This can be exploited for phishing attacks.


How can this vulnerability impact me? :

The vulnerability can be used to manipulate emails sent by pretix so that maliciously formatted user content appears credible and trustworthy. This can lead to phishing attacks where recipients might be tricked into clicking malicious links or trusting harmful content embedded in the email, potentially compromising security or personal information.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, avoid using untrusted user input such as attendee names in email templates without proper sanitization or escaping. Review and update email templates to ensure that placeholders do not render HTML or Markdown formatting from user-provided data. Consider implementing additional filtering or validation on user input to prevent injection of formatted content that could be used for phishing.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart