PyPI package
indico
pkg:pypi/indico
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33046 | — | < 3.3.12 | 3.3.12 | Mar 23, 2026 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use spec | ||
| CVE-2026-28352 | — | < 3.3.11 | 3.3.11 | Feb 27, 2026 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. Th | ||
| CVE-2026-25739 | — | < 3.3.10 | 3.3.10 | Feb 19, 2026 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a pat | ||
| CVE-2026-25738 | — | < 3.3.10 | 3.3.10 | Feb 19, 2026 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentio | ||
| CVE-2025-59035 | — | < 3.3.8 | 3.3.8 | Sep 10, 2025 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update t | ||
| CVE-2025-59034 | — | < 3.3.8 | 3.3.8 | Sep 10, 2025 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, a legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a bro | ||
| CVE-2025-53640 | — | >= 2.2, < 3.3.7 | 3.3.7 | Jul 14, 2025 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic | ||
| CVE-2024-50633 | — | >= 3.2.9, < 3.3.3 | 3.3.3 | Jan 16, 2025 | A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users retrie | ||
| CVE-2024-45399 | — | < 3.3.4 | 3.3.4 | Sep 4, 2024 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when r | ||
| CVE-2023-37901 | — | < 3.2.6 | 3.2.6 | Jul 21, 2023 | Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a speaker | ||
| CVE-2021-30185 | — | < 2.3.4 | 2.3.4 | Apr 7, 2021 | CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link. |
- CVE-2026-33046Mar 23, 2026affected < 3.3.12fixed 3.3.12
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use spec
- CVE-2026-28352Feb 27, 2026affected < 3.3.11fixed 3.3.11
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. Th
- CVE-2026-25739Feb 19, 2026affected < 3.3.10fixed 3.3.10
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a pat
- CVE-2026-25738Feb 19, 2026affected < 3.3.10fixed 3.3.10
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentio
- CVE-2025-59035Sep 10, 2025affected < 3.3.8fixed 3.3.8
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update t
- CVE-2025-59034Sep 10, 2025affected < 3.3.8fixed 3.3.8
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, a legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a bro
- CVE-2025-53640Jul 14, 2025affected >= 2.2, < 3.3.7fixed 3.3.7
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic
- CVE-2024-50633Jan 16, 2025affected >= 3.2.9, < 3.3.3fixed 3.3.3
A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users retrie
- CVE-2024-45399Sep 4, 2024affected < 3.3.4fixed 3.3.4
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when r
- CVE-2023-37901Jul 21, 2023affected < 3.2.6fixed 3.2.6
Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a speaker
- CVE-2021-30185Apr 7, 2021affected < 2.3.4fixed 2.3.4
CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link.