CVE-2025-59035
MEDIUM EPSS 8.8%
Published Sep 10, 20259mo ago · Modified Jun 17, 20262w ago
5.4 CVSS 3.1
Published Sep 10, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago
Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as soon as possible. As a workaround, only let trustworthy users create content on Indico. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
8.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| cern | indico | * | <3.3.8 |
References 2
- github.com https://github.com/indico/indico/releases/tag/v3.3.8
- github.com https://github.com/indico/indico/security/advisories/GHSA-7cf7-9wrr-vrf4
Remediation
- github.com https://github.com/indico/indico/security/advisories/GHSA-7cf7-9wrr-vrf4