Moderate severityNVD Advisory· Published Jul 21, 2023· Updated Oct 10, 2024
Cross-Site-Scripting via confirmation prompts
CVE-2023-37901
Description
Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a speaker) and then someone else to attempt to delete this content. Considering that event organizers may want to delete suspicious-looking content when spotting it, there is a non-negligible risk of such an attack to succeed. The risk of this could be further increased when combined with some some social engineering pointing the victim towards this content. Users need to update to Indico 3.2.6 as soon as possible. See the docs for instructions on how to update. Users who cannot upgrade should only let trustworthy users manage categories, create events or upload materials ("submission" privileges on a contribution/event). This should already be the case in a properly-configured setup when it comes to category/event management. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
indicoPyPI | < 3.2.6 | 3.2.6 |
Affected products
1Patches
12ee636d31865Fix XSS in confirmation prompts
12 files changed · +28 −18
CHANGES.rst+11 −0 modified@@ -7,6 +7,17 @@ Version 3.2.6 *Unreleased* +Security fixes +^^^^^^^^^^^^^^ + +- Fix an XSS vulnerability in various confirmation prompts commonly used when deleting + things. Exploitation requires someone with at least submission privileges (such as a + speaker) and then rely on someone else to attempt to delete this content. However, + considering that event organizers may indeed delete suspicious-looking content when + encountering it, there is a non-negligible risk of such an attack to succeed. Because + of this it is strongly recommended to upgrade as soon as possible (:pr:`5862`, + :cve:`CVE-2023-37901`) + Internationalization ^^^^^^^^^^^^^^^^^^^^
indico/modules/attachments/templates/_attachments.html+2 −2 modified@@ -54,7 +54,7 @@ data-title="{% trans name=attachment.title %}Remove {{ name }}?{% endtrans %}" title="{% trans %}Remove{% endtrans %}" data-confirm="{% trans name=attachment.title -%} - Are you sure you want to remove "{{ name }}"?<br> + Are you sure you want to remove "{{ name }}"? This will remove the attachment permanently. {%- endtrans %}"> </a> @@ -94,7 +94,7 @@ data-title="{% trans name=folder.title %}Remove {{ name }}?{% endtrans %}" title="{% trans %}Remove{% endtrans %}" data-confirm="{% trans name=folder.title -%} - Are you sure you want to remove "{{ name }}"?<br> + Are you sure you want to remove "{{ name }}"? This will remove the folder and its contents permanently. {%- endtrans %}"> </a>
indico/modules/categories/templates/management/base.html+4 −2 modified@@ -2,7 +2,9 @@ {% macro delete_category_button(category, classes="i-button") %} {% set confirmation_message -%} - {% trans category=category.title %}Do you really want to delete the category "{{ category }}"?{% endtrans %} + {% trans category=category.title %} + Do you really want to delete the category "{{ category }}"? + {% endtrans %} {%- endset %} {% if category.is_empty %} {% set tooltip -%} @@ -16,7 +18,7 @@ {% endif %} <a class="{{ classes }} icon-remove js-delete-category" title="{{ tooltip|forceescape }}" - data-confirm="{{ confirmation_message|forceescape }}" + data-confirm="{{ confirmation_message }}" data-title="{% trans %}Delete category{% endtrans %}" data-href="{{ url_for('categories.delete', category) }}" data-method="POST"></a>
indico/modules/events/abstracts/templates/reviewing/public.html+0 −2 modified@@ -19,12 +19,10 @@ <h3 class="f-self-stretch js-mathjax"> {% set message %} {% trans %}Do you really want to withdraw this abstract?{% endtrans %} {% if abstract.contribution %} - <br> {%- trans -%} Withdrawing this abstract will permanently delete its corresponding contribution. {%- endtrans -%} {% elif not can_manage %} - <br> {% trans %}This operation is irreversible.{% endtrans %} {% endif %} {% endset %}
indico/modules/events/layout/templates/_menu.html+1 −1 modified@@ -37,7 +37,7 @@ title="{% trans %}Remove the menu entry{% endtrans %}" data-confirm=" {%- if not entry.is_separator -%} - {%- trans name='"%s"'|format(entry.localized_title) -%} + {%- trans name='"%s"'|format(entry.localized_title) -%} Are you sure you want to remove {{ name }}? {%- endtrans -%} {% else %}
indico/modules/events/management/templates/_action_menu.html+1 −1 modified@@ -1,6 +1,6 @@ {% macro _change_type_confirmation(type) %} {% trans -%} - Changing the event type to <strong>{{ type }}</strong> will change the look of the event page + Changing the event type to {{ type }} will change the look of the event page and may disable some features not available for the new event type. {%- endtrans %} {% endmacro %}
indico/modules/events/static/templates/static_sites.html+1 −1 modified@@ -11,7 +11,7 @@ data-method="post" data-href="{{ url_for('static_site.build', event) }}" data-title="{% trans %}Build an offline copy{% endtrans %}" - data-confirm="{% trans %}Are you sure you want to build an offline copy of this event?<br>Beware that it is a heavy operation, especially for large events, and it might take some time to finish.{% endtrans %}"> + data-confirm="{% trans %}Are you sure you want to build an offline copy of this event? Beware that it is a heavy operation, especially for large events, and it might take some time to finish.{% endtrans %}"> {%- trans %}Build offline copy{% endtrans -%} </button> </div>
indico/modules/events/surveys/templates/management/survey.html+4 −2 modified@@ -194,8 +194,10 @@ <h2> {% set data_confirm %} {% trans %}Are you sure you want to remove this submission?{% endtrans %} {% if submission.is_anonymous %} - <br><br> - {% trans %}Note: Authenticated users will not be able to submit an anonymous survey again even if you delete their submission.{% endtrans %} + {% trans %} + Note: Authenticated users will not be able to submit an anonymous survey again + even if you delete their submission. + {% endtrans %} {% endif %} {% endset %} <a href="#" class="icon-remove right js-delete-submission hide-if-locked"
indico/modules/oauth/templates/user_apps.html+1 −1 modified@@ -36,7 +36,7 @@ <button class="ui negative small button" data-href="{{ url_for('.user_app_revoke', auth.application) }}" data-method="POST" - data-confirm="{% trans app_name=auth.application.name %}{{ app_name }} will no longer have access to your Indico data.<br> + data-confirm="{% trans app_name=auth.application.name %}{{ app_name }} will no longer have access to your Indico data. Are you sure you want to revoke its access?{% endtrans %}"> {%- trans %}Revoke{% endtrans -%} </button>
indico/modules/oauth/templates/user_tokens.html+0 −3 modified@@ -109,13 +109,10 @@ You cannot undo this action. {% endtrans %} {% if not can_manage %} - <br><br> - <strong> {% trans %} Warning: You will not be able to create a new API token since only Indico admins can create API tokens. {% endtrans %} - </strong> {% endif %} "> <i aria-hidden="true" class="trash icon"></i>
indico/modules/users/templates/personal_data.html+2 −2 modified@@ -14,7 +14,7 @@ <button class="ui negative small button" data-href="{{ url_for('.user_block') }}" data-method="PUT" - data-confirm="{% trans %}This user will no longer have access to Indico.<br> + data-confirm="{% trans %}This user will no longer have access to Indico. Are you sure you want to revoke their access?{% endtrans %}" data-reload-after {% if user == session.user %}disabled{% endif %}> @@ -25,7 +25,7 @@ <button class="ui small button" data-href="{{ url_for('.user_block') }}" data-method="DELETE" - data-confirm="{% trans %}This user will regain access to Indico.<br> + data-confirm="{% trans %}This user will regain access to Indico. Are you sure you want to restore their access?{% endtrans %}" data-reload-after> {% trans %}Unblock User{% endtrans %}
indico/web/client/js/jquery/utils/misc.js+1 −1 modified@@ -12,7 +12,7 @@ import Palette from '../../utils/palette'; (function(global) { global.confirmPrompt = function confirmPrompt(message, title) { var dfd = $.Deferred(); - message = $('<div>', {width: 400, html: message}); + message = $('<div>', {width: 400, text: message}); new ConfirmPopup(title || $T('Please confirm'), message, function(confirmed) { if (confirmed) { dfd.resolve();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-fmqq-25x9-c6hmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-37901ghsaADVISORY
- docs.getindico.io/en/stable/installation/upgradeghsaWEB
- docs.getindico.io/en/stable/installation/upgrade/mitrex_refsource_MISC
- github.com/indico/indico/commit/2ee636d318653fb1ab193803dafbfe3e371d4130ghsax_refsource_MISCWEB
- github.com/indico/indico/releases/tag/v3.2.6ghsax_refsource_MISCWEB
- github.com/indico/indico/security/advisories/GHSA-fmqq-25x9-c6hmghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/indico/PYSEC-2023-129.yamlghsaWEB
News mentions
0No linked articles in our index yet.