Pretalx Organiser Search Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Pretalx versions prior to 2026.1.0. The issue arises in the organiser search feature of the Pretalx backend, where submission titles, speaker display names, and user names or emails are rendered into the results dropdown using innerHTML string interpolation. This allows any user who controls one of these fields, including registered users whose display names are accessed by an administrator, to inject HTML or JavaScript. The malicious script would execute in the organiser's browser when their search query matched the compromised record. Exploitation could lead to the execution of authenticated requests on behalf of the victim, including data modification requests, or the exfiltration of data visible to the victim.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts execute in the context of the affected user, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, first, inject a script into a field that will be rendered in the organiser search dropdown, such as a submission title or speaker display name. Then, log in as an organiser with more than review permissions and perform a search that matches the injected script. The script will execute in the organiser's browser.

Remediation

Users can upgrade to Pretalx version 2026.1.0 or apply the patch manually to the 'src/pretalx/static/orga/js/base.js' file and re-collect static files.