Indico 访问控制错误漏洞

Indico is an open-source event management system with rich functionality. Versions of Indico prior to 3.3.11 contained a access control vulnerability; this vulnerability stemmed from the lack of access checks in the event series management API endpoints, which could allow unauthorized access...

CVE-2025-59034 Indico may disclose unauthorized user details access via legacy API

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, a legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check...

PT-2024-31603 · Unknown +1 · Flask-Multipass +1

Name of the Vulnerable Software and Affected Versions: Indico versions prior to 3.3.4 Flask-Multipass versions prior to 0.5.5 Description: There is a Cross-Site-Scripting issue during account creation when redirecting to the next URL. Exploitation requires initiating the account creation process...