CVE-2023-37901
CVE-2023-37901 is a medium-severity vulnerability in Cern Indico with a CVSS 3.x base score of 5.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.
Key facts
- Severity: Medium (CVSS 3.x base score 5.4)
- EPSS exploit prediction: 0% (35th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-79
- Affected product: Cern Indico
- Published:
- Last modified:
Description
Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a speaker) and then someone else to attempt to delete this content. Considering that event organizers may want to delete suspicious-looking content when spotting it, there is a non-negligible risk of such an attack to succeed. The risk of this could be further increased when combined with some some social engineering pointing the victim towards this content. Users need to update to Indico 3.2.6 as soon as possible. See the docs for instructions on how to update. Users who cannot upgrade should only let trustworthy users manage categories, create events or upload materials ("submission" privileges on a contribution/event). This should already be the case in a properly-configured setup when it comes to category/event management. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows.
Frequently asked questions
- What is CVE-2023-37901?
- Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a speaker) and then someone else to attempt to delete this content. Considering that event organizers may want to delete suspicious-looking content when spotting it, there is a non-negligible risk of such an attack to succeed. The risk of this could be further increased when combined with some some social engineering pointing the victim towards this content. Users need to update to Indico 3.2.6 as soon as possible. See the docs for instructions on how to update. Users who cannot upgrade should only let trustworthy users manage categories, create events or upload materials ("submission" privileges on a contribution/event). This should already be the case in a properly-configured setup when it comes to category/event management. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows.
- How severe is CVE-2023-37901?
- CVE-2023-37901 has a CVSS 3.x base score of 5.4, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2023-37901 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (35th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-37901?
- CVE-2023-37901 affects Cern Indico. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-37901?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-37901 published?
- CVE-2023-37901 was published on 2023-07-21 and last updated on 2026-06-17.
References
- https://docs.getindico.io/en/stable/installation/upgrade/
- https://github.com/indico/indico/commit/2ee636d318653fb1ab193803dafbfe3e371d4130
- https://github.com/indico/indico/releases/tag/v3.2.6
- https://github.com/indico/indico/security/advisories/GHSA-fmqq-25x9-c6hm
Affected products (1)
- cpe:2.3:a:cern:indico:*:*:*:*:*:*:*:*
More vulnerabilities in Cern Indico
- CVE-2026-33046 — High (CVSS 8.8): Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In…
- CVE-2021-30185 — High (CVSS 7.5): CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link.
- CVE-2026-28352 — Medium (CVSS 6.5): Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In…
- CVE-2025-53640 — Medium (CVSS 6.5): Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask.…
- CVE-2026-25739 — Medium (CVSS 5.4): Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask.…
- CVE-2025-59035 — Medium (CVSS 4.6): Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior…
All CVEs affecting Cern Indico →
Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities
- CVE-2025-49410 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC…
- CVE-2024-47875 — Critical (CVSS 10.0): DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to…
- CVE-2024-6886 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea…
- CVE-2023-45144 — Critical (CVSS 10.0): com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on…
- CVE-2023-45138 — Critical (CVSS 10.0): Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly.…
- CVE-2022-4361 — Critical (CVSS 10.0): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the…
Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →