PyPi: Indico

CVE-2023-37901

Safety vulnerability ID: 59751

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jul 21, 2023 Updated at Mar 24, 2025

Scan your Python projects for vulnerabilities →

Advisory

Indico 3.2.6 includes a fix for an XSS vulnerability. Exploitation requires someone with at least submission privileges (such as a speaker) and then rely on someone else to attempt to delete this content. However, considering that event organizers may indeed delete suspicious-looking content when encountering it, there is a non-negligible risk of such an attack to succeed.
https://github.com/indico/indico/pull/5862
https://github.com/indico/indico/security/advisories/GHSA-fmqq-25x9-c6hm

Affected package

indico

Latest version: 3.3.6

Indico is a full-featured conference lifecycle management and meeting/lecture scheduling tool

Affected versions

Fixed versions

Vulnerability changelog

-------------

*Released on July 20, 2023*

Security fixes
^^^^^^^^^^^^^^

- Fix an XSS vulnerability in various confirmation prompts commonly used when deleting
things. Exploitation requires someone with at least submission privileges (such as a
speaker) and then rely on someone else to attempt to delete this content. However,
considering that event organizers may indeed delete suspicious-looking content when
encountering it, there is a non-negligible risk of such an attack to succeed. Because
of this it is strongly recommended to upgrade as soon as possible (:pr:`5862`,
:cve:`CVE-2023-37901`)

Internationalization
^^^^^^^^^^^^^^^^^^^^

- New translation: Czech

Improvements
^^^^^^^^^^^^

- Show which files were added or modified on each editing timeline revision (:pr:`5802`)
- Support rendering Japanese, Chinese & Korean letters in PDFs (:issue:`3120`, :pr:`5842`,
thanks :user:`adamjenkins`)
- Add button to adapt columns widths on the reviewing area's abstracts list (:pr:`5837`)
- Allow cloning category-level badge/poster templates into another category (:pr:`5775`,
thanks :user:`SegiNyn`)
- Allow using a custom link text in the ``{event_link}`` email placeholder, using the
``{event_link:something-else-here}`` syntax (:issue:`5858`, :pr:`5860`)
- Add option to add "event cancelled" semantics for event labels, which will disable
reminders for events having this label (:issue:`5285`, :pr:`5861`)

Bugfixes
^^^^^^^^

- Use correct name formatting in person link fields (:pr:`5835`)

Internal Changes
^^^^^^^^^^^^^^^^

- Support Python 3.11

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.4

CVSS v3 Details

MEDIUM 5.4

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality Impact (C): LOW
Integrity Impact (I): LOW
Availability Availability (A): NONE