Safety vulnerability ID: 76110
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Indico fixes an open redirect during account creation. Exploitation requires initiating account creation with a maliciously crafted link, and then finalizing the signup process, after which the user would be redirected to an external page instead of staying on Indico.
Latest version: 3.3.6
Indico is a full-featured conference lifecycle management and meeting/lecture scheduling tool
-------------
*Released on December 02, 2024*
Security fixes
^^^^^^^^^^^^^^
- Fix an open redirect during account creation. Exploitation requires initiating
account creation with a maliciously crafted link, and then finalizing the signup
process, after which the user would be redirected to an external page instead of
staying on Indico (thanks :user:`GauthierGitHub`)
Internationalization
^^^^^^^^^^^^^^^^^^^^
- New translation: Japanese
Improvements
^^^^^^^^^^^^
- Allow specifying "prev" and "next" as the date param on the category overview
page to show the previous or next period relative to the current date (:pr:`6537`)
- Add caching and rate-limiting (configurable via :data:`LATEX_RATE_LIMIT`, and only applied
to unauthenticated users) for endpoints that trigger LaTeX PDF generation (:pr:`6526`)
- Log changes to registration form settings in the event log (:pr:`6544`, thanks :user:`vtran99`)
- Improve conference participant list, especially when participants from multiple registration
forms are shown separately (:issue:`6440`, :pr:`6489`)
- Include information about attached files in JSON export of abstracts (:pr:`6556`)
- Take session program codes into account when sorting parallel sessions with the same start time
in meeting timetable (:pr:`6575`)
- Enforce browser-side caching of event logos and custom stylesheets (:issue:`6555`, :pr:`6559`)
- Default to banner-style (full width) logos in newly created conference events (:pr:`6572`,
thanks :user:`omegak`)
- Add email placeholder for the picture associated with a registration (:pr:`6580`, thanks
:user:`vtran99`)
- Allow setting placeholders for text fields in document templates (:pr:`6587`)
- Add a new document template for Certificates of Attendance (:pr:`6587`)
- Show correct repetition details for bookings repeating every n weeks (:pr:`6592`)
- Show context (event/contribution title etc.) in the title of the minutes editor (:issue:`6584`,
:pr:`6591`)
- Streamline "get next editable" UI and only show editables that still unassigned (:pr:`6583`)
- Add preview link for custom text snippets in registration notification emails (:issue:`6539`,
:pr:`6560`, thanks :user:`Moliholy, unconventionaldotdev`)
- Stop spoofing email sender addresses when using the :data:`SMTP_ALLOWED_SENDERS` and
:data:`SMTP_SENDER_FALLBACK` config settings. Instead, the *From* address will be rewritten
to the fallback whenever the requested address is not an allowed sender (:pr:`6231`, thanks
:user:`SegiNyn`)
- Allow alternative CSV delimiters everywhere when importing content from CSV files (:pr:`6607`,
thanks :user:`Moliholy, unconventionaldotdev`)
- Improve readability of room booking room statistics card (:pr:`6616`)
- Add option to use flat zip file structure when downloading registration attachments
(:issue:`6536`, :pr:`6608`, thanks :user:`Moliholy, unconventionaldotdev`)
Bugfixes
^^^^^^^^
- Make picture field more resilient when uploading and resizing pictures close to
the max upload file size (:pr:`6530`, thanks :user:`SegiNyn`)
- Fix the order of the event classifications in edit mode (:issue:`6531`, :pr:`6534`)
- Fix an issue where scheduling a contribution on a day with an empty timetable would
schedule it on the first day of the event instead (:issue:`6540`, :pr:`6541`)
- Fix error in unmerged participant list when the picture field is enabled and participant
list columns have not been customized for that registration form (:pr:`6535`)
- Fix breakage of the registration form dropdown field (and anything else using a custom
element that uses ``ElementInternals``) in older versions of Safari (:pr:`6549`, thanks
:user:`foxbunny`)
- Fix linebreak display in markdown code blocks in survey section descriptions (:pr:`6553`)
- Include attached pictures when downloading registration attachments (:pr:`6564`)
- Only allow marking unpaid registrations as paid (:issue:`6330`, :pr:`6578`)
- Do not allow mixing notification rules for invited abstracts with other rules (:issue:`6563`,
:pr:`6567`)
- Use locale-aware price formatting in registration form fields (:pr:`6586`)
- Handle badge designer items exceeding the canvas boundaries more gracefully (:pr:`6603`,
thanks :user:`SegiNyn`)
- Fix tips not correctly positioning when contents are changed (:pr:`6797`, thanks
:user:`foxbunny`)
Accessibility
^^^^^^^^^^^^^
- Improve country input accessibility (:pr:`6551`, thanks :user:`foxbunny`)
- Reimplement Checkbox to make it programmatically focusable (:pr:`6528`, thanks :user:`foxbunny`)
- Implement a ``RadioButton`` component to replace the SUI radio button in order to improve
keyboard support (:pr:`6621`, thanks :user:`foxbunny`)
- Improve keyboard accessibility of the timetable sessions field in registration form (:pr:`6639`,
thanks :user:`foxbunny`)
Internal Changes
^^^^^^^^^^^^^^^^
- Make positioning logic from TipBase generic and reusable (:pr:`6577`, :pr:`6588`, thanks
:user:`foxbunny`)
- Add additional signals related to videoconferences and their event links (:pr:`6475`)
- Videoconference plugins now need to implement a ``delete_room`` method (:pr:`6475`)
- Support translator comments when extracting translatable strings (:pr:`6620`)
- ``renderAsFieldset`` option in the registration field registry can now be a function that
returns a boolean (:pr:`6621`, thanks :user:`foxbunny`)
- Allow overriding global theme settings for custom meeting themes (:pr:`6622`)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application