CVE-2023-37901: Indico vulnerable to Cross-Site-Scripting via confirmation prompts
(updated )
There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a speaker) and then someone else to attempt to delete this content.
Considering that event organizers may want to delete suspicious-looking content when spotting it, there is a non-negligible risk of such an attack to succeed. The risk of this could be further increased when combined with some some social engineering pointing the victim towards this content.
References
- docs.getindico.io/en/stable/installation/upgrade
- github.com/advisories/GHSA-fmqq-25x9-c6hm
- github.com/indico/indico
- github.com/indico/indico/commit/2ee636d318653fb1ab193803dafbfe3e371d4130
- github.com/indico/indico/releases/tag/v3.2.6
- github.com/indico/indico/security/advisories/GHSA-fmqq-25x9-c6hm
- github.com/pypa/advisory-database/tree/main/vulns/indico/PYSEC-2023-129.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-37901
Code Behaviors & Features
Detect and mitigate CVE-2023-37901 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →