Dreyercito

**Name of the Vulnerable Software and Affected Versions** Indico versions prior to 3.3.12 **Description** Indico is an event management system that utilizes Flask-Multipass, a multi-backend authentication system for Flask. Due to vulnerabilities in TeXLive and obscure LaTeX syntax that circumvented Indico's LaTeX sanitizer, specially crafted LaTeX snippets could be used to read local files or execute code with the privileges of the user running Indico on the server. This issue does not apply if server-side LaTeX rendering is not in use, meaning the `XELATEX PATH` setting is not configured in `indico.conf`. **Recommendations** Update to Indico version 3.3.12 as soon as possible. Enable the containerized LaTeX renderer using `podman` to isolate it from the rest of the system. Remove the `XELATEX PATH` setting from `indico.conf` or set it to `None` and restart the `indico-uwsgi` and `indico-celery` services to disable LaTeX functionality.

**Name of the Vulnerable Software and Affected Versions** Indico versions prior to 3.3.10 **Description** Indico, an event management system, is susceptible to a cross-site scripting issue when specific file types are uploaded as materials. The issue exists due to a flaw in the handling of file uploads. The system uses Flask-Multipass, a multi-backend authentication system for Flask. There is no information about the number of potentially affected devices worldwide or any real-world incidents where this issue was exploited. The vulnerable component is related to material upload functionality. **Recommendations** Upgrade to version 3.3.10 to resolve the issue. If using nginx with Indico's `STATIC FILE METHOD` set to `xaccelredirect`, update the webserver configuration to include the following line in the `.xsf/indico/` location block: `add header Content-Security-Policy $upstream http content security policy;`. As a workaround, apply a strict Content Security Policy for material download endpoints using your webserver configuration. As a workaround, restrict content creation, including material uploads, to trustworthy users only.