Multiple vulnerabilities in Eventbrite

Select vulnerabilities:

XSS in the “About the organizer” textarea on Manage Organizer Profile Page

Proof of concept: <object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgyKTwvc2NyaXB0Pg=='>

where base64 encoded value is "<script>alert(2)</script>" It affects public organizer profile (e.g. http://www.eventbrite.com/o/unnamed-organizer-5626808865) and his events if we select option “Also use this description for event pages” in profile manager. das

XSS in Event Details

Unsanitized “Event title” (only on the preview page), “Event description”, “Custom Header” and Custom Footer”. Same proof of concept as in previous example. Affected pages are preview and published event pages.

Missing access control to archived emails

It’s possible to read every email that was send to attendees by changing variable of emid. Trivial to enumerate all the emails because of global ids.
Proof of concept: https://www.eventbrite.com/attendees-email?eid=9735397837&emid=555&action=COPY&filter=SCHEDULED&sort=CREATED-DESC

Missing access control to discount codes

No authorization for discount variable, so it’s possible to read all codes. It’s probably hard to connect certain code to the event, but still possible to enumare all the codes from database and run brute force attack against certain event. It could be possible to increase efficiency by trying to correlate order of discounts codes and events.
Proof of concept: https://www.eventbrite.com/discounts?eid=9735484095&discount=42184051

Missing access control to affiliate programs

By changing value of affid to some value from https://www.eventbrite.com/publicaffiliates and we receive list of emails, sales and other informations. Maybe even actions (like delete) are functional, but I don’t wanted to affect the data and users. Trivial to enumare.
Proof of concept: https://www.eventbrite.com/affiliate?eid=9735484095&affid=4699327

Missing access control for event charts