← Back

CVE-2025-59034

nvd nist
Published: Sep 10, 2025Modified: Sep 17, 2025

JSON object

Loading...
4.3
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Exploitability: 2.8 / Impact: 1.4
Source: security-advisories@github.com (Secondary)

Description

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, a legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. Users should to update to Indico 3.3.8 as soon as possible. As a workaround, it is possible to restrict access to the affected API (e.g. in the webserver config).

Affected (1)

Products: Cern: Indico
Cern
1 product
Indico
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Indico
Before 3.3.8

Related CWEs

CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
PatchVendor Advisory

Timeline

No history available yet.