indico

PyPI4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting indicopage 1 of 1

CVE-2021-30185HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.4
2021-04-07
vulnerable: 0.98-rc1 ... 2.3.3 (67 versions)
CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link.
CVE-2023-37901MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.2.6
2023-07-21
vulnerable: 0.98-rc1 ... 3.2.5 (83 versions)
Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least…
CVE-2024-45399MEDIUMCVSS 4.3EG 4.3✓ Fixed in 3.3.4
2024-09-04
vulnerable: 0.98-rc1 ... 3.3.3 (91 versions)
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vul…
CVE-2024-50633NONECVSS 0.0EG 0.0✓ Fixed in 3.3.3
2025-01-16
vulnerable: 3.2.9, 3.3, 3.3.1, 3.3.2
A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the pr…

Check whether indico is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for indico CVEs against the assets you own.

Start Free Scan →