Indico
Monthly
Missing authentication checks on Indico's event series management API endpoint allows unauthenticated attackers to view event metadata, delete series, and modify series configurations. The vulnerability affects Indico versions prior to 3.3.11 and has limited impact as it does not grant access to actual event data beyond basic metadata. Upgrade to version 3.3.11 or restrict API endpoint access at the web server level to remediate.
Cross-site scripting in Indico prior to version 3.3.10 allows authenticated users to inject malicious scripts through material file uploads, potentially compromising other users' sessions or stealing sensitive data. The vulnerability affects Indico deployments using Flask-Multipass authentication and requires both user interaction and authenticated access to exploit. A patch is available, and administrators should upgrade to version 3.3.10 and update webserver configurations to enforce strict Content Security Policy for file downloads.
Indico versions before 3.3.10 allow authenticated event organizers to conduct server-side request forgery attacks by providing arbitrary URLs that the application will access, potentially exposing internal services and cloud metadata endpoints. An attacker with event organizer privileges can leverage this to retrieve sensitive data from localhost or cloud infrastructure endpoints that lack authentication controls. The vulnerability affects deployments on cloud platforms like AWS where metadata services are accessible; administrators should upgrade to version 3.3.10 to remediate.
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. Version 3.3.7 fixes the issue. Owners of instances that allow everyone to create a user account, who wish to truly restrict access to these user details, should consider restricting user search to managers. As a workaround, it is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.
A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. Rated remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Missing authentication checks on Indico's event series management API endpoint allows unauthenticated attackers to view event metadata, delete series, and modify series configurations. The vulnerability affects Indico versions prior to 3.3.11 and has limited impact as it does not grant access to actual event data beyond basic metadata. Upgrade to version 3.3.11 or restrict API endpoint access at the web server level to remediate.
Cross-site scripting in Indico prior to version 3.3.10 allows authenticated users to inject malicious scripts through material file uploads, potentially compromising other users' sessions or stealing sensitive data. The vulnerability affects Indico deployments using Flask-Multipass authentication and requires both user interaction and authenticated access to exploit. A patch is available, and administrators should upgrade to version 3.3.10 and update webserver configurations to enforce strict Content Security Policy for file downloads.
Indico versions before 3.3.10 allow authenticated event organizers to conduct server-side request forgery attacks by providing arbitrary URLs that the application will access, potentially exposing internal services and cloud metadata endpoints. An attacker with event organizer privileges can leverage this to retrieve sensitive data from localhost or cloud infrastructure endpoints that lack authentication controls. The vulnerability affects deployments on cloud platforms like AWS where metadata services are accessible; administrators should upgrade to version 3.3.10 to remediate.
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. Version 3.3.7 fixes the issue. Owners of instances that allow everyone to create a user account, who wish to truly restrict access to these user details, should consider restricting user search to managers. As a workaround, it is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.
A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. Rated remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.