CVE-2025-53640

Exploit

EPSS 0.57%
Veröffentlicht 14.07.2025 20:14:27
Zuletzt bearbeitet 15.09.2025 18:55:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Indico vulnerable to user enumeration via API endpoint

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. Version 3.3.7 fixes the issue. Owners of instances that allow everyone to create a user account, who wish to truly restrict access to these user details, should consider restricting user search to managers. As a workaround, it is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cern ≫ Indico Version >= 2.2 < 3.3.7

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.57%	0.424

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj

Vendor Advisory

https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH

Product

https://docs.getindico.io/en/stable/installation/upgrade

Product

https://github.com/indico/indico/releases/tag/v3.3.7

Release Notes

https://www.vicarius.io/vsociety/posts/cve202553640-detect-indico-vulnerability

Third Party Advisory

Exploit

https://www.vicarius.io/vsociety/posts/cve202553640-mitigate-indico-vulnerability

Third Party Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2025-53640

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-53640

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-53640

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-53640