CVE-2023-37901

Name of the Vulnerable Software and Affected Versions Indico versions prior to 3.2.6

Description There is a Cross-Site-Scripting issue in confirmation prompts used when deleting content from Indico. Exploitation requires someone with at least submission privileges and then someone else to attempt to delete this content. Event organizers may want to delete suspicious-looking content, posing a non-negligible risk of such an attack succeeding. This risk could be further increased with social engineering pointing the victim towards this content.

Recommendations For versions prior to 3.2.6, update to Indico 3.2.6 as soon as possible. For users who cannot upgrade, only let trustworthy users manage categories, create events, or upload materials.