pysec - pysec-2024-90

pysec-2024-90

Vulnerability from pysec

Published

2024-09-04 20:15

Modified

2024-09-25 06:23

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the next URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users. Indico 3.3.4 upgrades the dependency on Flask-Multipass to version 0.5.5, which fixes the issue. Those who build the Indico package themselves and cannot upgrade can update the flask-multipass dependency to >=0.5.5 which fixes the vulnerability. Otherwise one could configure one's web server to disallow requests containing a query string with a next parameter that starts with javascript:.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "indico",
        "purl": "pkg:pypi/indico"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0bdcf656d469e5f675cb56fd644d82fea3a97c2a"
            }
          ],
          "repo": "https://github.com/indico/flask-multipass",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7dcb573837b9fd09d95f74d1baeae225b164cc8f"
            }
          ],
          "repo": "https://github.com/indico/indico",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.98-rc1",
        "0.98.0",
        "0.98.1",
        "0.98.2",
        "0.99",
        "1.0",
        "1.1",
        "1.1.1",
        "1.1.2",
        "1.2",
        "1.2.1",
        "1.2.1rc10",
        "1.2.1rc11",
        "1.2.1rc2",
        "1.2.1rc4",
        "1.2.1rc5",
        "1.2.1rc6",
        "1.2.1rc7",
        "1.2.1rc9",
        "1.2.2",
        "1.2.2rc1",
        "1.9.11.dev10",
        "1.9.11.dev11",
        "1.9.11.dev12",
        "1.9.11.dev13",
        "1.9.11.dev14",
        "1.9.11.dev15",
        "1.9.11.dev16",
        "1.9.11.dev17",
        "1.9.11.dev3",
        "1.9.11.dev4",
        "1.9.11.dev6",
        "1.9.11.dev7",
        "1.9.11.dev8",
        "1.9.11.dev9",
        "2.0",
        "2.0.1",
        "2.0.2",
        "2.0.3",
        "2.0a1",
        "2.0rc1",
        "2.0rc2",
        "2.1",
        "2.1.1",
        "2.1.10",
        "2.1.11",
        "2.1.2",
        "2.1.3",
        "2.1.4",
        "2.1.5",
        "2.1.6",
        "2.1.7",
        "2.1.8",
        "2.1.9",
        "2.2",
        "2.2.1",
        "2.2.2",
        "2.2.3",
        "2.2.4",
        "2.2.5",
        "2.2.6",
        "2.2.7",
        "2.2.8",
        "2.3",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "3.0",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0rc1",
        "3.0rc2",
        "3.1",
        "3.1.1",
        "3.2",
        "3.2.1",
        "3.2.2",
        "3.2.3",
        "3.2.4",
        "3.2.5",
        "3.2.6",
        "3.2.7",
        "3.2.8",
        "3.2.9",
        "3.3",
        "3.3.1",
        "3.3.2",
        "3.3.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45399",
    "GHSA-rrqf-w74j-24ff"
  ],
  "details": "Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the `next` URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users. Indico 3.3.4 upgrades the dependency on Flask-Multipass to version 0.5.5, which fixes the issue. Those who build the Indico package themselves and cannot upgrade can update the `flask-multipass` dependency to `\u003e=0.5.5` which fixes the vulnerability. Otherwise one could configure one\u0027s web server to disallow requests containing a query string with a `next` parameter that starts with `javascript:`.",
  "id": "PYSEC-2024-90",
  "modified": "2024-09-25T06:23:55.564403+00:00",
  "published": "2024-09-04T20:15:00+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff"
    },
    {
      "type": "FIX",
      "url": "https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a"
    },
    {
      "type": "FIX",
      "url": "https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/releases/tag/v3.3.4"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

ghsa-rrqf-w74j-24ff

Vulnerability from github

Published

2024-09-04 17:19

Modified

2024-09-25 17:55

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

Indico has a Cross-Site-Scripting during account creation

Details

Impact

There is a Cross-Site-Scripting vulnerability during account creation when redirecting after the account has been successfully created. Exploitation requires the user to initiate the account creation process with a maliciously crafted link, and then finalize the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users so the benefits of exploiting it are very limited.

Patches

You should to update to Indico 3.3.4 as soon as possible. See the docs for instructions on how to update.

Workarounds

If you build the Indico package yourself and cannot upgrade for some reason, you can simply update the flask-multipass dependency to >=0.5.5 which fixes the vulnerability. You would do that by editing requirements.txt before building the package (see commit 7dcb573837), or possibly cherry-picking that particular commit.
Otherwise you could configure your web server to disallow requests containing a query string with a parameter that starts with javascript:

For more information

If you have any questions or comments about this advisory:

Open a thread in our forum
Email us privately at indico-team@cern.ch

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "indico"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45399"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-04T17:19:14Z",
    "nvd_published_at": "2024-09-04T20:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThere is a Cross-Site-Scripting vulnerability during account creation when redirecting after the account has been successfully created.\nExploitation requires the user to initiate the account creation process with a maliciously crafted link, and then finalize the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users so the benefits of exploiting it are very limited.\n\n### Patches\nYou should to update to [Indico 3.3.4](https://github.com/indico/indico/releases/tag/v3.3.4) as soon as possible.\nSee [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.\n\n### Workarounds\n- If you build the Indico package yourself and cannot upgrade for some reason, you can simply update the `flask-multipass` dependency to `\u003e=0.5.5` which fixes the vulnerability. You would do that by editing `requirements.txt` before building the package (see commit 7dcb573837), or possibly cherry-picking that particular commit.\n- Otherwise you could configure your web server to disallow requests containing a query string with a parameter that starts with `javascript:`\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open a thread in [our forum](https://talk.getindico.io/)\n- Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)",
  "id": "GHSA-rrqf-w74j-24ff",
  "modified": "2024-09-25T17:55:29Z",
  "published": "2024-09-04T17:19:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45399"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/indico/indico"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/releases/tag/v3.3.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/indico/PYSEC-2024-90.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Indico has a Cross-Site-Scripting during account creation"
}

cve-2024-45399

Vulnerability from cvelistv5

Published

2024-09-04 20:12

Modified

2024-09-04 20:17

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

Indico has a Cross-Site-Scripting during account creation

References

▼	URL	Tags
	https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff	x_refsource_CONFIRM
	https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a	x_refsource_MISC
	https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f	x_refsource_MISC
	https://github.com/indico/indico/releases/tag/v3.3.4	x_refsource_MISC

Impacted products

▼	Vendor	Product
	indico	indico

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45399",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-04T20:17:25.903426Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-04T20:17:38.298Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "indico",
          "vendor": "indico",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.3.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the `next` URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users. Indico 3.3.4 upgrades the dependency on Flask-Multipass to version 0.5.5, which fixes the issue. Those who build the Indico package themselves and cannot upgrade can update the `flask-multipass` dependency to `\u003e=0.5.5` which fixes the vulnerability. Otherwise one could configure one\u0027s web server to disallow requests containing a query string with a `next` parameter that starts with `javascript:`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-04T20:12:20.457Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff"
        },
        {
          "name": "https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a"
        },
        {
          "name": "https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f"
        },
        {
          "name": "https://github.com/indico/indico/releases/tag/v3.3.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/indico/indico/releases/tag/v3.3.4"
        }
      ],
      "source": {
        "advisory": "GHSA-rrqf-w74j-24ff",
        "discovery": "UNKNOWN"
      },
      "title": "Indico has a Cross-Site-Scripting during account creation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-45399",
    "datePublished": "2024-09-04T20:12:20.457Z",
    "dateReserved": "2024-08-28T20:21:32.803Z",
    "dateUpdated": "2024-09-04T20:17:38.298Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

pysec-2024-90

Vulnerability from pysec

ghsa-rrqf-w74j-24ff

Vulnerability from github

Impact

Patches

Workarounds

For more information

cve-2024-45399

Vulnerability from cvelistv5

Tags