pysec-2024-90
Vulnerability from pysec
Published
2024-09-04 20:15
Modified
2024-09-25 06:23
Severity ?
Details
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the next URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users. Indico 3.3.4 upgrades the dependency on Flask-Multipass to version 0.5.5, which fixes the issue. Those who build the Indico package themselves and cannot upgrade can update the flask-multipass dependency to >=0.5.5 which fixes the vulnerability. Otherwise one could configure one's web server to disallow requests containing a query string with a next parameter that starts with javascript:.
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "indico",
"purl": "pkg:pypi/indico"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0bdcf656d469e5f675cb56fd644d82fea3a97c2a"
}
],
"repo": "https://github.com/indico/flask-multipass",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7dcb573837b9fd09d95f74d1baeae225b164cc8f"
}
],
"repo": "https://github.com/indico/indico",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.98-rc1",
"0.98.0",
"0.98.1",
"0.98.2",
"0.99",
"1.0",
"1.1",
"1.1.1",
"1.1.2",
"1.2",
"1.2.1",
"1.2.1rc10",
"1.2.1rc11",
"1.2.1rc2",
"1.2.1rc4",
"1.2.1rc5",
"1.2.1rc6",
"1.2.1rc7",
"1.2.1rc9",
"1.2.2",
"1.2.2rc1",
"1.9.11.dev10",
"1.9.11.dev11",
"1.9.11.dev12",
"1.9.11.dev13",
"1.9.11.dev14",
"1.9.11.dev15",
"1.9.11.dev16",
"1.9.11.dev17",
"1.9.11.dev3",
"1.9.11.dev4",
"1.9.11.dev6",
"1.9.11.dev7",
"1.9.11.dev8",
"1.9.11.dev9",
"2.0",
"2.0.1",
"2.0.2",
"2.0.3",
"2.0a1",
"2.0rc1",
"2.0rc2",
"2.1",
"2.1.1",
"2.1.10",
"2.1.11",
"2.1.2",
"2.1.3",
"2.1.4",
"2.1.5",
"2.1.6",
"2.1.7",
"2.1.8",
"2.1.9",
"2.2",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.2.6",
"2.2.7",
"2.2.8",
"2.3",
"2.3.1",
"2.3.2",
"2.3.3",
"2.3.4",
"2.3.5",
"3.0",
"3.0.1",
"3.0.2",
"3.0.3",
"3.0rc1",
"3.0rc2",
"3.1",
"3.1.1",
"3.2",
"3.2.1",
"3.2.2",
"3.2.3",
"3.2.4",
"3.2.5",
"3.2.6",
"3.2.7",
"3.2.8",
"3.2.9",
"3.3",
"3.3.1",
"3.3.2",
"3.3.3"
]
}
],
"aliases": [
"CVE-2024-45399",
"GHSA-rrqf-w74j-24ff"
],
"details": "Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the `next` URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users. Indico 3.3.4 upgrades the dependency on Flask-Multipass to version 0.5.5, which fixes the issue. Those who build the Indico package themselves and cannot upgrade can update the `flask-multipass` dependency to `\u003e=0.5.5` which fixes the vulnerability. Otherwise one could configure one\u0027s web server to disallow requests containing a query string with a `next` parameter that starts with `javascript:`.",
"id": "PYSEC-2024-90",
"modified": "2024-09-25T06:23:55.564403+00:00",
"published": "2024-09-04T20:15:00+00:00",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff"
},
{
"type": "FIX",
"url": "https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a"
},
{
"type": "FIX",
"url": "https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f"
},
{
"type": "WEB",
"url": "https://github.com/indico/indico/releases/tag/v3.3.4"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.