CVE-2025-59035

MEDIUM EPSS 8.8%
Published Sep 10, 20259mo ago · Modified Jun 17, 20262w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Sep 10, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as soon as possible. As a workaround, only let trustworthy users create content on Indico. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows.

CVSS Details

Base Score
5.4
Exploitability
2.3
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
8.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
cernindico* <3.3.8

References 2

  • github.com https://github.com/indico/indico/releases/tag/v3.3.8
    Release Notes
  • github.com https://github.com/indico/indico/security/advisories/GHSA-7cf7-9wrr-vrf4
    PatchVendor Advisory

Remediation

  • github.com https://github.com/indico/indico/security/advisories/GHSA-7cf7-9wrr-vrf4
    PatchVendor Advisory