Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-45399

Good to know:

icon
icon

Date: September 4, 2024

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the "next" URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users. Indico 3.3.4 upgrades the dependency on Flask-Multipass to version 0.5.5, which fixes the issue. Those who build the Indico package themselves and cannot upgrade can update the "flask-multipass" dependency to ">=0.5.5" which fixes the vulnerability. Otherwise one could configure one's web server to disallow requests containing a query string with a "next" parameter that starts with "javascript:".

Language: Python

Severity Score

Related Resources (8)

https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff
https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a
https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f
https://github.com/indico/indico
https://nvd.nist.gov/vuln/detail/CVE-2024-45399
https://github.com/indico/indico/releases/tag/v3.3.4
https://github.com/pypa/advisory-database/tree/main/vulns/indico/PYSEC-2024-90.yaml
https://www.mend.io/vulnerability-database/CVE-2024-45399

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Dependency on Vulnerable Third-Party Component

CWE-1395

Top Fix

icon

Upgrade Version

Upgrade to version indico - 3.3.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us