CVE CyberSecurity Database News

CVE-2024-45299 - Exploiting Improper JSON Escaping in alf.io's Admin Customization

Poster -

alf.io is a popular open source ticket reservation system, used by organizers for events like conferences, workshops, trade shows, and meetups. It's appreciated for its robust set of features and flexibility. However, before version 2.-M5, alf.io suffered from a significant but subtle security flaw: improperly escaped JSON data. This vulnerability is now tracked as CVE-2024-45299.

Let's break down what this means, how the exploit works, and how the latest update (as of June 2024) fixes the issue.

What is CVE-2024-45299?

If you’re managing an event in alf.io, you can customize the messages and labels shown to your attendees. These texts are saved by the admin right from the backend interface. However, until version 2.-M5, when these texts were stored, they weren’t properly escaped when being preloaded as JSON into the frontend JavaScript.

This means: if an admin accidentally (or intentionally) saved texts containing problematic JSON or HTML code, this could "break" how the website loaded, or potentially open the way for unexpected behavior.

Critically: this bug is only dangerous to the site admin/event admin themselves—regular users could not exploit this, and the robust Content-Security-Policy (CSP) alf.io uses prevented attackers from running malicious scripts. Still, admins could easily break their own installations through some customization options.

Let’s look at what could go wrong.

Suppose you’re an event admin, and you want to add a custom welcome message. You might mistakenly insert a message with a special character that isn't JSON-safe:

Welcome to our event! {"quote": "It's going to be "awesome"!"}

Notice how the inner " in awesome" isn't properly escaped for JSON.

Before the fix, alf.io would place your text straight into a JavaScript context, like this simplified example (imagine part of a page source):

<script>
  window.preloadedData = {"customMessage": "Welcome to our event! {"quote": "It's going to be "awesome"!"}"}
</script>

This is invalid JavaScript! Browsers will complain or even halt parsing. Effectively, the site could just break for everyone.

Actual Exploit Details

Since alf.io enforces a strong Content-Security-Policy, this vulnerability did not allow for classic Cross-Site Scripting (XSS) attacks—no outside hacker could hijack sessions or load scripts. But an admin customizing their texts could unwittingly:

Make some frontend features (like dynamic ticket tables) stop working,

- Lock themselves out of the UI, requiring database or backend intervention to revert the offending text.

So, while it's not a "code execution" bug like many CVEs, it has real impact—and was easily triggered during normal site setup or customization.

Reload the event homepage.

In vulnerable versions, the site JavaScript may now throw an error, break the layout, or stop processing customized UI elements.

How the Bug Was Fixed

After reporting, the alf.io team patched the bug in version 2.-M5 (release notes here). Their fix ensures any admin-customized text is safely escaped before being embedded in page JavaScript, so no invalid JSON or breaking strings make it to the browser.

Key changes include

// Java code inside alf.io controllers/services (simplified)
String safeJson = escapeJson(adminInput);
return "<script>window.preloadedData = " + safeJson + ";</script>";

Now, even if your message includes quotes or other special characters, they're encoded correctly

"customMessage": "Thank you for attending! It\u0027s going to be \"great\"!"

What Should Admins Do?

- Upgrade immediately to version 2.-M5 or above. (alf.io GitHub download)

- CVE-2024-45299 on NVD
- alf.io GitHub Repository
- 2.-M5 Release Notes & Patch

Summary

CVE-2024-45299 shows us that even with a solid security posture (like strong CSP), mishandled escaping can have real-world effects, particularly for site admins. While it didn’t cause remote code execution or let attackers break in, it still could brick your event site with a tiny typo in custom messages. Version 2.-M5 closes this door with proper escaping.

Timeline

Published on: 09/06/2024 13:15:05 UTC
Last modified on: 09/30/2024 12:48:22 UTC