Homepage

indico@2.2.2 vulnerabilities

Indico is a full-featured conference lifecycle management and meeting/lecture scheduling tool

  • latest version

    3.3.5

  • latest non vulnerable version

    3.3.5

  • first published

    9 years ago

  • latest version published

    1 months ago

  • licenses detected

  • View indico package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the indico package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    indico is a conference lifecycle management and meeting/lecture scheduling tool.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via confirmation prompts. Exploitation requires someone with at least submission privileges (such as a speaker) and then someone else to attempt to delete this content.

    How to fix Cross-site Scripting (XSS)?

    Upgrade indico to version 3.2.6 or higher.

    [,3.2.6)
    • M
    Cross-site Scripting (XSS)

    indico is a conference lifecycle management and meeting/lecture scheduling tool.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization when using \href{}.

    How to fix Cross-site Scripting (XSS)?

    Upgrade indico to version 3.2.5 or higher.

    [,3.2.5)
    • M
    Cross-site Scripting (XSS)

    indico is a conference lifecycle management and meeting/lecture scheduling tool.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in global announcement messages.

    How to fix Cross-site Scripting (XSS)?

    Upgrade indico to version 3.2.3 or higher.

    [,3.2.3)
    • M
    Cross-site Scripting (XSS)

    indico is a conference lifecycle management and meeting/lecture scheduling tool.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the category picker (via category titles), location widget (via room and venue names defined by an Indico administrator) and the Indico Weeks View timetable theme (via contribution/break titles defined by an event organizer).

    How to fix Cross-site Scripting (XSS)?

    Upgrade indico to version 2.3.5 or higher.

    [,2.3.5)
    • M
    Open Redirect

    indico is a conference lifecycle management and meeting/lecture scheduling tool.

    Affected versions of this package are vulnerable to Open Redirect. The BASE_URL is not always enforced and requests whose Host header does not match are not rejected. Malicious actors can trick Indico into sending a password reset link to a user, that points to a host controlled by the attacker.

    How to fix Open Redirect?

    Upgrade indico to version 2.3.4 or higher.

    [,2.3.4)
    • M
    Information Exposure

    indico is a conference lifecycle management and meeting/lecture scheduling tool.

    Affected versions of this package are vulnerable to Information Exposure. Malicious users can run unsafe LaTeX commands on the server, which allows them to read local files (e.g. indico.conf). As far as is known it is not possible to write files or execute code using this vulnerability.

    How to fix Information Exposure?

    Upgrade indico to version 2.1.10, 2.2.3 or higher.

    [,2.1.10)[2.2.0,2.2.3)
    Go back to all versions of this package