CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
16.3%
There is a Cross-Site-Scripting vulnerability during account creation when redirecting after the account has been successfully created.
Exploitation requires the user to initiate the account creation process with a maliciously crafted link, and then finalize the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users so the benefits of exploiting it are very limited.
You should to update to Indico 3.3.4 as soon as possible.
See the docs for instructions on how to update.
flask-multipass
dependency to >=0.5.5
which fixes the vulnerability. You would do that by editing requirements.txt
before building the package (see commit 7dcb573837), or possibly cherry-picking that particular commit.javascript:
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-rrqf-w74j-24ff
github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a
github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f
github.com/indico/indico/releases/tag/v3.3.4
github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff
nvd.nist.gov/vuln/detail/CVE-2024-45399
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
16.3%