Safety vulnerability ID: 40431
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Indico 2.3.4 includes a fix for CVE-2021-30185: CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link.
Latest version: 3.3.6
Indico is a full-featured conference lifecycle management and meeting/lecture scheduling tool
-------------
*Released on March 11, 2021*
Security fixes
^^^^^^^^^^^^^^
- Fix some open redirects which could help making harmful URLs look more trustworthy by linking
to Indico and having it redirect the user to a malicious site (:issue:`4814`, :pr:`4815`)
- The :data:`BASE_URL` is now always enforced and requests whose Host header does not match
are rejected. This prevents malicious actors from tricking Indico into sending e.g. a
password reset link to a user that points to a host controlled by the attacker instead of
the actual Indico host (:pr:`4815`)
.. note::
If the webserver is already configured to enforce a canonical host name and redirects or
rejects such requests, this cannot be exploited. Additionally, exploiting this problem requires
user interaction: they would need to click on a password reset link which they never requested,
and which points to a domain that does not match the one where Indico is running.
Improvements
^^^^^^^^^^^^
- Fail more gracefully is a user has an invalid locale set and fall back to the default
locale or English in case the default locale is invalid as well
- Log an error if the configured default locale does not exist
- Add ID-1 page size for badge printing (:pr:`4774`, thanks :user:`omegak`)
- Allow managers to specify a reason when rejecting registrants and add a new placeholder
for the rejection reason when emailing registrants (:pr:`4769`, thanks :user:`vasantvohra`)
Bugfixes
^^^^^^^^
- Fix the "Videoconference Rooms" page in conference events when there are any VC rooms
attached but the corresponding plugin is no longer installed
- Fix deleting events which have a videoconference room attached which has its VC plugin
no longer installed
- Do not auto-redirect to SSO when an MS office user agent is detected (:issue:`4720`,
:pr:`4731`)
- Allow Editing team to view editables of unpublished contributions (:issue:`4811`, :pr:`4812`)
Internal Changes
^^^^^^^^^^^^^^^^
- Also trigger the ``ical-export`` metadata signal when exporting events for a whole category
- Add ``primary_email_changed`` signal (:pr:`4802`, thanks :user:`openprojects`)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application