11 matches found
CVE-2024-50633
Summary: CVE-2024-50633 describes a Broken Object Level Authorization (BOLA) in Indico through 3.3.5, where a crafted POST to /api/principals can cause attackers to read information from other user accounts. Affected scope (supported by documents): Indico in versions up to 3.3.5 (notably includin...
CVE-2021-30185
CVE-2021-30185 affects CERN Indico prior to 2.3.4. The vulnerability resides in Indico’s URL generation for password resets, where an attacker-supplied Host header can steer the reset link to an attacker-controlled domain. If a user clicks such a link, the attacker could obtain the password reset...
CVE-2023-37901
CVE-2023-37901 describes a Cross‑Site Scripting vulnerability in Indico’s confirmation prompts used when deleting content. Exploitation requires at least a submission privilege (e.g., a speaker) and a second user to attempt deletion, with risk heightened by social engineering. The affected softwa...
CVE-2024-45399
Indico prior to version 3.3.4 (Flask-Multipass = 0.5.5, which fixes the issue. If upgrading is not possible, mitigate by updating flask-multipass to >= 0.5.5 or configuring the web server to disallow query strings with a next parameter starting with javascript:.
CVE-2025-53640
CVE-2025-53640 – Indico user details disclosure via API/endpoint . Indico (event management platform) uses Flask-Multipass for authentication. Until fixed in v3.3.7, a specific endpoint that presents user details in fields such as ACLs could be abused to bulk-dump basic user data (name, affiliati...
CVE-2025-59035
CVE-2025-59035 — Indico XSS via LaTeX math rendering : Multiple sources (NVD, Red Hat, OSV, GHSA advisories, Snyk) confirm a Cross-Site Scripting vulnerability in Indico prior to version 3.3.8, triggered when rendering LaTeX math code in contribution or abstract descriptions. A fixed release is I...
CVE-2025-59034
The CVE-2025-59034 affects Indico before version 3.3.8, where a legacy API for retrieving user details could disclose profile data of other users due to a broken access check in Flask-Multipass-based authentication. The issue enables unauthorized access without admin permissions; impact is limite...
CVE-2026-25739
CVE-2026-25739 affects Indico before version 3.3.10, with a cross-site scripting vulnerability triggered by uploading certain file types as materials. The root cause is improper handling of material uploads in Indico’s upload flow, allowing script injection that can impact end users. Mitigation p...
CVE-2026-33046
CVE-2026-33046 affects Indico (event management system) where, in versions prior to 3.3.12, TeXLive/LaTeX sanitizer bypass via specially crafted LaTeX snippets could read local files or execute code with server user privileges when server-side LaTeX rendering is enabled (XELATEX_PATH set). If ser...
CVE-2026-28352
CVE-2026-28352 affects Indico (event management system) prior to 3.3.11. The vulnerability is an missing access check in the API endpoint that manages event series, enabling unauthenticated/unauthorized access to metadata (title, category chain, start/end date) for events in an existing series, a...
CVE-2026-25738
Indico SSRF (CVE-2026-25738) affects Indico versions before 3.3.10. Outgoing requests to user-provided URLs can access sensitive targets (e.g., localhost, cloud metadata). Impact is limited by access controls (only event organizers can see returned data); non-AWS IPs are less affected. remediatio...