Pretix Email Placeholder Injection Vulnerability Allowing Phishing Manipulation

A vulnerability exists in Pretix email templates that allows for the injection of HTML or Markdown through placeholders. When names containing such formatting are used, the injected content is rendered as HTML in the final email. Although Pretix's strict allow list for HTML tags prevents this from being exploited for cross-site scripting or similar attacks, it can still be used to manipulate email content in a way that appears trustworthy, potentially leading to phishing attempts.

Impact

Exploitation of this vulnerability could result in phishing attacks, as it allows for the manipulation of email content to make it appear more credible.