CVE-2026-25739
中文标题:
(暂无数据)
英文标题:
Indico affected by Cross-Site-Scripting via material uploads
漏洞描述
中文描述:
(暂无数据)
英文描述:
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material download endpoints, and/or only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| indico | indico | < 3.3.10 | - | - |
cpe:2.3:a:indico:indico:<_3.3.10:*:*:*:*:*:*:*
|
| cern | indico | * | - | - |
cpe:2.3:a:cern:indico:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2026-25739 |
2026-02-20 03:19:37 | 2026-02-19 22:00:03 |
| NVD | nvd_CVE-2026-25739 |
2026-02-20 02:00:04 | 2026-02-19 22:00:05 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 1 -> 2
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']