Name of the Vulnerable Software and Affected Versions Indico versions prior to 2.2.3 Indico versions prior to 2.1.10

Description A vulnerability in Indico's LaTeX sanitization code allows malicious users to run unsafe LaTeX commands on the server, potentially leading to local file disclosure. For example, an attacker could read local files such as indico.conf. However, it is not possible to write files or execute code using this vulnerability.

Recommendations For Indico versions prior to 2.2.3, update to Indico 2.2.3 as soon as possible. For Indico versions prior to 2.1.10, update to Indico 2.1.10 if updating to 2.2 is not feasible. As a temporary workaround, setting XELATEX PATH = None in indico.conf will prevent the vulnerability from being abused, but this will result in an error when building a PDF.