CVE-2025-14881

Summary

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

Affected Software

VendorProductVersion RangeStatus
pretixpretix1.0.0 < 2025.8.0affected
pretixpretix2025.8.0 < 2025.9.0affected
pretixpretix2025.9.0 < 2025.10.0affected
pretixpretix2025.10.0 < 2025.11.0affected

Weaknesses

  • CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References