Homepage
About Snyk

indico@1.9.11.dev16 vulnerabilities

Indico is a full-featured conference lifecycle management and meeting/lecture scheduling tool

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the indico package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

indico is a conference lifecycle management and meeting/lecture scheduling tool.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via confirmation prompts. Exploitation requires someone with at least submission privileges (such as a speaker) and then someone else to attempt to delete this content.

How to fix Cross-site Scripting (XSS)?

Upgrade indico to version 3.2.6 or higher.

[,3.2.6)
  • M
Cross-site Scripting (XSS)

indico is a conference lifecycle management and meeting/lecture scheduling tool.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization when using \href{}.

How to fix Cross-site Scripting (XSS)?

Upgrade indico to version 3.2.5 or higher.

[,3.2.5)
  • M
Cross-site Scripting (XSS)

indico is a conference lifecycle management and meeting/lecture scheduling tool.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in global announcement messages.

How to fix Cross-site Scripting (XSS)?

Upgrade indico to version 3.2.3 or higher.

[,3.2.3)
  • L
Improper Authorization

indico is a conference lifecycle management and meeting/lecture scheduling tool.

Affected versions of this package are vulnerable to Improper Authorization which allows managers or coordinators to modify timetable entries or schedule contributions that not assigned to their session, and also to allow unauthorized users to access timetable entry details.

How to fix Improper Authorization?

Upgrade indico to version 2.1.3 or higher.

[,2.1.3)
  • M
Cross-site Scripting (XSS)

indico is a conference lifecycle management and meeting/lecture scheduling tool.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the category picker (via category titles), location widget (via room and venue names defined by an Indico administrator) and the Indico Weeks View timetable theme (via contribution/break titles defined by an event organizer).

How to fix Cross-site Scripting (XSS)?

Upgrade indico to version 2.3.5 or higher.

[,2.3.5)
  • M
Open Redirect

indico is a conference lifecycle management and meeting/lecture scheduling tool.

Affected versions of this package are vulnerable to Open Redirect. The BASE_URL is not always enforced and requests whose Host header does not match are not rejected. Malicious actors can trick Indico into sending a password reset link to a user, that points to a host controlled by the attacker.

How to fix Open Redirect?

Upgrade indico to version 2.3.4 or higher.

[,2.3.4)
  • M
Information Exposure

indico is a conference lifecycle management and meeting/lecture scheduling tool.

Affected versions of this package are vulnerable to Information Exposure. Malicious users can run unsafe LaTeX commands on the server, which allows them to read local files (e.g. indico.conf). As far as is known it is not possible to write files or execute code using this vulnerability.

How to fix Information Exposure?

Upgrade indico to version 2.1.10, 2.2.3 or higher.

[,2.1.10) [2.2.0,2.2.3)
Go back to all versions of this package