GHSA-rrqf-w74j-24ff: Indico has a Cross-Site-Scripting during account creation

September 4, 2024

There is a Cross-Site-Scripting vulnerability during account creation when redirecting after the account has been successfully created. Exploitation requires the user to initiate the account creation process with a maliciously crafted link, and then finalize the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users so the benefits of exploiting it are very limited.

References

github.com/advisories/GHSA-rrqf-w74j-24ff
github.com/indico/indico
github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f
github.com/indico/indico/releases/tag/v3.3.4
github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff

Detect and mitigate GHSA-rrqf-w74j-24ff with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →