Post by Novee Security

🚨 NEW RESEARCH: High-severity stored XSS → account takeover in pretalx. Novee Security research disclosed a vulnerability in pretalx, the open-source platform that powers CFPs across the technical conference world. Any registered user could plant HTML in a submission title and have it execute in an organizer's browser the moment their application got called up in a search. Total session hijack, and a quick way to spin up an agent to speed-run the CFP cycle, and get auto-accepted to 40 events. Each individual link in the takeover is something scanners catch on its own and file as low-risk. Composed, they're a high-severity exploit. This kind of chain requires reasoning about how the application is supposed to work, how primitives compose, and what an attacker can do with the workflow around the bug. That's what offensive AI is for. Huge thanks to the pretalx team and creator Tobias Kunze for the rapid, cooperative disclosure. Credit to Elad Meged on Novee's research team for the discovery. 🔗 Full write-up in the comments below.