References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

When creating an export through the pretix API, API clients are 
returned an UUID value for their export job (a long, random string like 
35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client 
can then request the actual file for download. The same kind of UUID is 
used in other places in pretix when temporary files are generated for 
internal use or download.




One remaining API endpoint, however, wrongfully did not verify if the
 UUID used for download actually belongs to a file that is supposed to 
be downloadable and belongs to the correct user. In reality, this is 
hard to exploit because an attacker would need to have access to a valid
 UUID for the file they desire which is unlikely to happen without a 
separate security problem giving them access to logs etc.

AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-639

https://pretix.eu/about/en/blog/20260527-release-2026-4-2/