PYSEC-2024-90

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/indico/PYSEC-2024-90.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2024-90
Aliases
Published
2024-09-04T20:15:00Z
Modified
2024-09-25T07:42:46.158363Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the next URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users. Indico 3.3.4 upgrades the dependency on Flask-Multipass to version 0.5.5, which fixes the issue. Those who build the Indico package themselves and cannot upgrade can update the flask-multipass dependency to >=0.5.5 which fixes the vulnerability. Otherwise one could configure one's web server to disallow requests containing a query string with a next parameter that starts with javascript:.

References

Affected packages

PyPI / indico

Package

Affected ranges

Type
GIT
Repo
https://github.com/indico/flask-multipass
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/indico/indico
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.4

Affected versions

0.*

0.98-rc1
0.98.0
0.98.1
0.98.2
0.99

1.*

1.0
1.1
1.1.1
1.1.2
1.2
1.2.1rc2
1.2.1rc4
1.2.1rc5
1.2.1rc6
1.2.1rc7
1.2.1rc9
1.2.1rc10
1.2.1rc11
1.2.1
1.2.2rc1
1.2.2
1.9.11.dev3
1.9.11.dev4
1.9.11.dev6
1.9.11.dev7
1.9.11.dev8
1.9.11.dev9
1.9.11.dev10
1.9.11.dev11
1.9.11.dev12
1.9.11.dev13
1.9.11.dev14
1.9.11.dev15
1.9.11.dev16
1.9.11.dev17

2.*

2.0a1
2.0rc1
2.0rc2
2.0
2.0.1
2.0.2
2.0.3
2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.3
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5

3.*

3.0rc1
3.0rc2
3.0
3.0.1
3.0.2
3.0.3
3.1
3.1.1
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.3
3.3.1
3.3.2
3.3.3