XSS in the “About the organizer” textarea on Manage Organizer Profile Page
Proof of concept:
where base64 encoded value is
It affects public organizer profile (e.g. http://www.eventbrite.com/o/unnamed-organizer-5626808865) and his events if we select option “Also use this description for event pages” in profile manager.
XSS in Event Details
Unsanitized “Event title” (only on the preview page), “Event description”, “Custom Header” and Custom Footer”. Same proof of concept as in previous example. Affected pages are preview and published event pages.
Missing access control to archived emails
It's possible to read every email that was send to attendees by changing
emid. Trivial to enumerate all the emails because of global
Proof of concept: https://www.eventbrite.com/attendees-email?eid=9735397837&emid=555&action=COPY&filter=SCHEDULED&sort=CREATED-DESC
Missing access control to discount codes
No authorization for
discount variable, so it's possible to read all codes.
It's probably hard to connect certain code to the event, but still
possible to enumare all the codes from database and run brute force
attack against certain event. It could be possible to increase
efficiency by trying to correlate order of discounts codes and events.
Proof of concept: https://www.eventbrite.com/discounts?eid=9735484095&discount=42184051
Missing access control to affiliate programs
By changing value of
affid to some value from
https://www.eventbrite.com/publicaffiliates and we receive list of
emails, sales and other informations. Maybe even actions (like delete)
are functional, but I don't wanted to affect the data and users. Trivial to enumare.
Proof of concept: https://www.eventbrite.com/affiliate?eid=9735484095&affid=4699327
Missing access control for event charts