logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-37901 indico

Package

Manager: pip
Name: indico
Vulnerable Version: >=0 <3.2.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00421 pctl0.61199

Details

Indico vulnerable to Cross-Site-Scripting via confirmation prompts ### Impact There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a speaker) and then someone else to attempt to delete this content. Considering that event organizers may want to delete suspicious-looking content when spotting it, there is a non-negligible risk of such an attack to succeed. The risk of this could be further increased when combined with some some social engineering pointing the victim towards this content. ### Patches You need to update to [Indico 3.2.6](https://github.com/indico/indico/releases/tag/v3.2.6) as soon as possible. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update. ### Workarounds Only let trustworthy users manage categories, create events or upload materials ("submission" privileges on a contribution/event). This should already be the case in a properly-configured setup when it comes to category/event management. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows. For more information If you have any questions or comments about this advisory: * Open a thread in [our forum](https://talk.getindico.io/) * Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)

Metadata

Created: 2023-07-21T20:24:10Z
Modified: 2024-09-23T17:02:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-fmqq-25x9-c6hm/GHSA-fmqq-25x9-c6hm.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-fmqq-25x9-c6hm
Finding: F425
Auto approve: 1