CVE-2024-45399

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Indico versions prior to 3.3.4 Flask-Multipass versions prior to 0.5.5

Description: There is a Cross-Site-Scripting issue during account creation when redirecting to the next URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. This can only target newly created, and thus unprivileged, Indico users.

Recommendations: For Indico versions prior to 3.3.4, update to Indico 3.3.4 as soon as possible. For those who build the Indico package themselves and cannot upgrade, update the flask-multipass dependency to >=0.5.5. Otherwise, configure the web server to disallow requests containing a query string with a next parameter that starts with javascript:.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-1395

Related Identifiers

CVE-2024-45399

GHSA-RRQF-W74J-24FF

PYSEC-2024-90

Affected Products

Flask-Multipass

Indico

CVE-2024-45399

Weakness Enumeration

Related Identifiers

Affected Products

References · 14