Hi.Events before 1.11.0 contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 14 Jul 2026 22:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hi.events
Hi.events hi.events |
|
| CPEs | cpe:2.3:a:hi.events:hi.events:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Hi.events
Hi.events hi.events |
Tue, 14 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Hi.Events through v1.10.0-beta contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale. | Hi.Events before 1.11.0 contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale. |
| Title | Hi.Events v1.10.0-beta Hidden Ticket Enumeration via Order Creation Endpoint | Hi.Events < 1.11.0 Hidden Ticket Enumeration via Order Creation Endpoint |
Tue, 14 Jul 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hieventsdev
Hieventsdev hi.events |
|
| Vendors & Products |
Hieventsdev
Hieventsdev hi.events |
Tue, 14 Jul 2026 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Hi.Events through v1.10.0-beta contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale. | |
| Title | Hi.Events v1.10.0-beta Hidden Ticket Enumeration via Order Creation Endpoint | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-07-14T15:42:31.865Z
Updated: 2026-07-15T15:42:42.390Z
Reserved: 2026-07-08T13:27:53.031Z
Link: CVE-2026-60118
Updated: 2026-07-15T15:42:30.881Z
No data.
No data.