CVE-2021-30185

Name of the Vulnerable Software and Affected Versions CERN Indico versions prior to 2.3.4

Description The issue arises from Indico's URL generation logic, which can be exploited by an attacker to send a password reset link with a valid token to an attacker-controlled domain. This is achieved by sending the domain in the Host header. If a user clicks on such a link without realizing it does not point to Indico, their password reset token could be revealed to the attacker, allowing the attacker to reset the password and take over the user's Indico account. The vulnerability cannot be exploited if the web server enforces a canonical host name or if only SSO is used, although in the latter case, other links in emails set by Indico could still be tampered with.

Recommendations For versions prior to 2.3.4, update to Indico 2.3.4 as soon as possible. To update, follow the instructions provided in the documentation. As a temporary workaround, configure the web server to canonicalize the URL to the hostname used for Indico. This can be achieved by applying the changes outlined in the commit to the existing web server configuration.