pretalx, the open-source conference management platform powering events like FOSDEM, Chemnitzer Linux-Tage, and dozens of PyCons, exposes organizers to stored cross-site scripting (XSS) attacks. A HIGH-severity flaw in the backend organizer search typeahead lets any registered user inject HTML or JavaScript via controllable fields like display names, submission titles, speaker names, or user emails. When an organizer types a matching query, the payload executes in their browser.
This isn’t a drive-by exploit. Attackers need two conditions: control over a searchable field—easy for any registrant whose display name an admin might look up—and an organizer (with more than review permissions) or superuser to trigger it via search. Craft a display name with common substrings like “admin” or “review,” embed <script>alert(1)</script>, and wait. The dropdown renders it via unsafe innerHTML interpolation in src/pretalx/static/orga/js/base.js.
Real-World Impact
Organizers hold the keys to sensitive data: speaker details, peer reviews, schedules, and attendee info. Once injected script runs, it operates in the pretalx organizer interface context. Attackers grab the CSRF token from the page, forge authenticated requests, alter submissions, leak review comments, or exfiltrate visible data to an external server. For a mid-sized conference with 500 submissions and 50 organizers, one compromised organizer equals full backend access.
pretalx runs 1,000+ events yearly across 50+ countries, per their stats. Public CFPs draw thousands of registrations, many with minimal vetting. A single malicious submitter—think grudge from rejection or targeted phishing—turns the search bar into a trapdoor. We’ve seen similar flaws in Eventbrite plugins and CiviCRM; they cascade when high-priv users get hit. No public exploits yet, but the report from Elad Meged at Novee Security dates back months—likely fixed quietly to avoid panic before v2026.1.0 release on January 2026? Wait, pretalx’s YYYY.N.x scheme means this patches 2026’s first major drop.
Why this matters: Conferences operate on tight timelines. Mid-CFP compromise disrupts reviews; post-event, it hits archives. Financially, leaked sponsor deals or speaker data invites GDPR fines—up to 4% revenue for EU orgs. Security teams overlook these tools because they’re “just event software,” but pretalx’s Django backbone and PostgreSQL store real PII. Skeptical take: innerHTML in 2025? Basic sanitization like DOMPurify or textContent would’ve blocked it. Fair point: Open-source maintainers triage fast; credits go to Meged for disclosure.
Fix It Now
Upgrade to pretalx v2026.1.0 immediately—it neuters the flaw server-side. No config tweaks help; the vuln lives in client JS. Interim: Ditch the organizer search bar (use direct navigation or filters) or hand-patch base.js. Replace innerHTML lines with safe alternatives:
// Vulnerable pattern (pre-patch)
element.innerHTML = `${data.title} <small>${data.speaker}</small>`;
// Safe fix: Use textContent + trusted innerHTML or escape
element.textContent = data.title;
const small = document.createElement('small');
small.textContent = data.speaker;
element.appendChild(small);
Rebuild statics with ./manage.py collectstatic, clear caches. Test in staging—search a dummy malicious name. For self-hosted, audit logs for anomalous searches. Upstream pushes Docker images; pull latest if containerized.
Bigger lesson: Event platforms lag on OWASP Top 10. Scan your pretalx instance with pretalx-check or Nuclei templates for XSS. Run as low-priv as possible—limit organizer roles. If you’re on older branches like 2024.x, bump now; LTS trails security fixes. This vuln underscores: User input is enemy #1. Patch, audit JS, and train organizers on phishing overlays—because XSS often pairs with social engineering.
