CVE-2025-53640

Name of the Vulnerable Software and Affected Versions: Indico versions 2.2 through 3.3.7

Description: Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. An endpoint used to display details of users listed in certain fields could be misused to dump basic user details (such as name, affiliation, and email) in bulk.

Recommendations: Upgrade to version 3.3.7 or later. Consider restricting user search to managers. Restrict access to the affected endpoints in the webserver configuration.