CVE-2025-53640

MEDIUM EPSS 42.7%
Published Jul 14, 202511mo ago · Modified Jun 17, 20262w ago
5.3 CVSS 4.0
Medium
Find Similar
Published Jul 14, 2025 11mo ago
Last Modified Jun 17, 2026 2w ago

Description

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. Version 3.3.7 fixes the issue. Owners of instances that allow everyone to create a user account, who wish to truly restrict access to these user details, should consider restricting user search to managers. As a workaround, it is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
42.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 3

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-639
CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
cernindico*≥2.2  –  <3.3.7

References 6

  • docs.getindico.io https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH
    Product
  • docs.getindico.io https://docs.getindico.io/en/stable/installation/upgrade
    Product
  • github.com https://github.com/indico/indico/releases/tag/v3.3.7
    Release Notes
  • github.com https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj
    Vendor Advisory
  • vicarius.io https://www.vicarius.io/vsociety/posts/cve202553640-detect-indico-vulnerability
    ExploitThird Party Advisory
  • vicarius.io https://www.vicarius.io/vsociety/posts/cve202553640-mitigate-indico-vulnerability
    ExploitMitigationThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.