Impact
The payment integration with Mollie in the pretix-mollie plugin does not validate payment status responses correctly, allowing an attacker to reuse a successful response from one payment for a different transaction, causing the system to issue tickets that have not been paid for. This bypasses the payment process and enables the attacker to illegitimately acquire valid tickets, compromising the integrity of ticket access and potentially the financial model of an event.
Affected Systems
The vulnerability affects the pretix-mollie plugin provided by pretix. No specific version details are supplied, so any deployment using this plugin that has not applied a patch to properly validate Mollie payment status responses may be vulnerable.
Risk and Exploitability
The CVSS score of 6.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in CISA KEV. The likely attack path involves sending a forged payment status update to a pretix instance that trusts the Mollie response, a capital requirement that can be met with remote network access. Upon exploitation, an attacker can obtain multiple tickets with a single payment, creating financial loss and undermining trust in the event system. While no public exploit is documented, the impact of payment bypass remains significant, making the risk moderate to high for unattended systems.
OpenCVE Enrichment