Cern

Indico

10 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2026-28352

  • EPSS 0.04%
  • Veröffentlicht 27.02.2026 21:01:45
  • Zuletzt bearbeitet 03.03.2026 18:31:21

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthoriz...

5.4

CVE-2026-25739

  • EPSS 0.05%
  • Veröffentlicht 19.02.2026 15:39:32
  • Zuletzt bearbeitet 26.02.2026 02:56:29

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to v...

4.3

CVE-2026-25738

  • EPSS 0.05%
  • Veröffentlicht 19.02.2026 15:30:54
  • Zuletzt bearbeitet 26.02.2026 02:57:25

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various p...

5.4

CVE-2025-59035

  • EPSS 0.03%
  • Veröffentlicht 10.09.2025 16:03:36
  • Zuletzt bearbeitet 17.09.2025 21:23:56

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descript...

4.3

CVE-2025-59034

  • EPSS 0.04%
  • Veröffentlicht 10.09.2025 16:01:09
  • Zuletzt bearbeitet 17.09.2025 21:31:06

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, a legacy API to retrieve user details could be misused to retrieve profile details of other users without having ...

6.5

CVE-2025-53640

Exploit
  • EPSS 0.08%
  • Veröffentlicht 14.07.2025 20:14:27
  • Zuletzt bearbeitet 15.09.2025 18:55:37

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) ...

7.5

CVE-2024-50633

Exploit
  • EPSS 7.15%
  • Veröffentlicht 16.01.2025 18:15:24
  • Zuletzt bearbeitet 19.09.2025 18:48:08

A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product inten...

6.1

CVE-2024-45399

  • EPSS 0.81%
  • Veröffentlicht 04.09.2024 20:15:09
  • Zuletzt bearbeitet 24.09.2024 16:48:10

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability ...

5.4

CVE-2023-37901

  • EPSS 0.42%
  • Veröffentlicht 21.07.2023 19:15:10
  • Zuletzt bearbeitet 21.11.2024 08:12:25

Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission...

7.5

CVE-2021-30185

  • EPSS 0.24%
  • Veröffentlicht 07.04.2021 14:15:17
  • Zuletzt bearbeitet 21.11.2024 06:03:28

CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link.