Lucene search
K
CernIndico

11 matches found

CVE
CVE
added 2025/01/16 12:0 a.m.88 views

CVE-2024-50633

Summary: CVE-2024-50633 describes a Broken Object Level Authorization (BOLA) in Indico through 3.3.5, where a crafted POST to /api/principals can cause attackers to read information from other user accounts. Affected scope (supported by documents): Indico in versions up to 3.3.5 (notably includin...

7.5CVSS4.1AI score0.00603EPSS
CVE
CVE
added 2021/04/07 1:25 p.m.67 views

CVE-2021-30185

CVE-2021-30185 affects CERN Indico prior to 2.3.4. The vulnerability resides in Indico’s URL generation for password resets, where an attacker-supplied Host header can steer the reset link to an attacker-controlled domain. If a user clicks such a link, the attacker could obtain the password reset...

7.5CVSS7.5AI score0.01047EPSS
CVE
CVE
added 2023/07/21 6:14 p.m.62 views

CVE-2023-37901

CVE-2023-37901 describes a Cross‑Site Scripting vulnerability in Indico’s confirmation prompts used when deleting content. Exploitation requires at least a submission privilege (e.g., a speaker) and a second user to attempt deletion, with risk heightened by social engineering. The affected softwa...

5.4CVSS5.3AI score0.00433EPSS
CVE
CVE
added 2024/09/04 8:12 p.m.52 views

CVE-2024-45399

Indico prior to version 3.3.4 (Flask-Multipass = 0.5.5, which fixes the issue. If upgrading is not possible, mitigate by updating flask-multipass to >= 0.5.5 or configuring the web server to disallow query strings with a next parameter starting with javascript:.

6.1CVSS5.4AI score0.00361EPSS
CVE
CVE
added 2025/07/14 8:14 p.m.37 views

CVE-2025-53640

CVE-2025-53640 – Indico user details disclosure via API/endpoint . Indico (event management platform) uses Flask-Multipass for authentication. Until fixed in v3.3.7, a specific endpoint that presents user details in fields such as ACLs could be abused to bulk-dump basic user data (name, affiliati...

6.5CVSS7.3AI score0.00565EPSS
CVE
CVE
added 2025/09/10 4:3 p.m.27 views

CVE-2025-59035

CVE-2025-59035 — Indico XSS via LaTeX math rendering : Multiple sources (NVD, Red Hat, OSV, GHSA advisories, Snyk) confirm a Cross-Site Scripting vulnerability in Indico prior to version 3.3.8, triggered when rendering LaTeX math code in contribution or abstract descriptions. A fixed release is I...

5.4CVSS6.6AI score0.00189EPSS
CVE
CVE
added 2025/09/10 4:1 p.m.25 views

CVE-2025-59034

The CVE-2025-59034 affects Indico before version 3.3.8, where a legacy API for retrieving user details could disclose profile data of other users due to a broken access check in Flask-Multipass-based authentication. The issue enables unauthorized access without admin permissions; impact is limite...

4.3CVSS6.3AI score0.00235EPSS
CVE
CVE
added 2026/02/19 3:39 p.m.19 views

CVE-2026-25739

CVE-2026-25739 affects Indico before version 3.3.10, with a cross-site scripting vulnerability triggered by uploading certain file types as materials. The root cause is improper handling of material uploads in Indico’s upload flow, allowing script injection that can impact end users. Mitigation p...

5.4CVSS5.2AI score0.00161EPSS
CVE
CVE
added 2026/03/23 10:45 p.m.17 views

CVE-2026-33046

CVE-2026-33046 affects Indico (event management system) where, in versions prior to 3.3.12, TeXLive/LaTeX sanitizer bypass via specially crafted LaTeX snippets could read local files or execute code with server user privileges when server-side LaTeX rendering is enabled (XELATEX_PATH set). If ser...

8.8CVSS5.9AI score0.00782EPSS
CVE
CVE
added 2026/02/27 9:1 p.m.14 views

CVE-2026-28352

CVE-2026-28352 affects Indico (event management system) prior to 3.3.11. The vulnerability is an missing access check in the API endpoint that manages event series, enabling unauthenticated/unauthorized access to metadata (title, category chain, start/end date) for events in an existing series, a...

6.5CVSS5.9AI score0.00264EPSS
CVE
CVE
added 2026/02/19 3:30 p.m.12 views

CVE-2026-25738

Indico SSRF (CVE-2026-25738) affects Indico versions before 3.3.10. Outgoing requests to user-provided URLs can access sensitive targets (e.g., localhost, cloud metadata). Impact is limited by access controls (only event organizers can see returned data); non-AWS IPs are less affected. remediatio...

6.9CVSS5.6AI score0.00189EPSS