Inkz

**Name of the Vulnerable Software and Affected Versions** Indico versions prior to 3.3.10 **Description** Indico, an event management system, is susceptible to server-side request forgery (SSRF). The system makes outgoing requests to URLs provided by users. While this functionality is intentional, it could allow access to sensitive targets like localhost or cloud metadata endpoints. The risk is limited to event organizers who can access endpoints where SSRF could be used to view returned data. Users hosted on AWS without authentication for sensitive data are less affected. **Recommendations** Versions prior to 3.3.10 should be upgraded to version 3.3.10. As a preventative measure, set the `http proxy` and `https proxy` environment variables on both the indico-uwsgi and indico-celery services to force outgoing requests through a limiting proxy.

Name of the Vulnerable Software and Affected Versions: Indico versions prior to 3.3.8 Description: Indico is an event management system that utilizes Flask-Multipass, a multi-backend authentication system for Flask. A broken access check in a legacy API used to retrieve user details allowed unauthorized access to profile details of other users. Recommendations: Update to Indico version 3.3.8. As a workaround, restrict access to the affected API in the webserver configuration.