Thiefmaster

Name of the Vulnerable Software and Affected Versions: Indico versions prior to 3.3.8 Description: Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. A Cross-Site-Scripting issue exists when rendering LaTeX math code in contribution or abstract descriptions. Recommendations: Update to Indico version 3.3.8. As a workaround, restrict content creation to trusted users.

**Name of the Vulnerable Software and Affected Versions** Indico versions 3.2.9 through 3.3.5 **Description** A Broken Object Level Authorization (BOLA) issue allows attackers to read or access sensitive information by sending a crafted POST request to the "/api/principals" component. The supplier disputes this issue, stating that the product is designed to allow all users to retrieve certain information about other user accounts. **Recommendations** For Indico versions 3.2.9 through 3.3.5, as a temporary workaround, consider restricting access to the "/api/principals" component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Indico versions prior to 3.3.4 Flask-Multipass versions prior to 0.5.5 Description: There is a Cross-Site-Scripting issue during account creation when redirecting to the `next` URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. This can only target newly created, and thus unprivileged, Indico users. Recommendations: For Indico versions prior to 3.3.4, update to Indico 3.3.4 as soon as possible. For those who build the Indico package themselves and cannot upgrade, update the `flask-multipass` dependency to `>=0.5.5`. Otherwise, configure the web server to disallow requests containing a query string with a `next` parameter that starts with `javascript:`.

**Name of the Vulnerable Software and Affected Versions** Indico versions prior to 3.2.6 **Description** There is a Cross-Site-Scripting issue in confirmation prompts used when deleting content from Indico. Exploitation requires someone with at least submission privileges and then someone else to attempt to delete this content. Event organizers may want to delete suspicious-looking content, posing a non-negligible risk of such an attack succeeding. This risk could be further increased with social engineering pointing the victim towards this content. **Recommendations** For versions prior to 3.2.6, update to Indico 3.2.6 as soon as possible. For users who cannot upgrade, only let trustworthy users manage categories, create events, or upload materials.

**Name of the Vulnerable Software and Affected Versions** CERN Indico versions prior to 2.3.4 **Description** The issue arises from Indico's URL generation logic, which can be exploited by an attacker to send a password reset link with a valid token to an attacker-controlled domain. This is achieved by sending the domain in the `Host` header. If a user clicks on such a link without realizing it does not point to Indico, their password reset token could be revealed to the attacker, allowing the attacker to reset the password and take over the user's Indico account. The vulnerability cannot be exploited if the web server enforces a canonical host name or if only SSO is used, although in the latter case, other links in emails set by Indico could still be tampered with. **Recommendations** For versions prior to 2.3.4, update to Indico 2.3.4 as soon as possible. To update, follow the instructions provided in the documentation. As a temporary workaround, configure the web server to canonicalize the URL to the hostname used for Indico. This can be achieved by applying the changes outlined in the commit to the existing web server configuration.

**Name of the Vulnerable Software and Affected Versions** werkzeug versions prior to 0.11.6 **Description** The issue is an open redirect vulnerability via a double slash in the URL. This can be exploited in werkzeug before version 0.11.6. **Recommendations** For versions prior to 0.11.6, update to version 0.11.6 or later to resolve the issue. As a temporary workaround, consider restricting URL access to prevent double slash exploitation until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** webargs versions prior to 5.1.3 **Description** An issue was discovered in webargs, where JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests. **Recommendations** For versions prior to 5.1.3, update to version 5.1.3 or later to resolve the issue.