6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-45399

GHSA ID

GHSA-rrqf-w74j-24ff

EPSS Score

0.44596%

CWE

CWE-79

Published

9/4/2024

Updated

9/25/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45399

CVE-2024-45399: Indico has a Cross-Site-Scripting during account creation

Impact

There is a Cross-Site-Scripting vulnerability during account creation when redirecting after the account has been successfully created. Exploitation requires the user to initiate the account creation process with a maliciously crafted link, and then finalize the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users so the benefits of exploiting it are very limited.

Patches

You should to update to Indico 3.3.4 as soon as possible. See the docs for instructions on how to update.

Workarounds

If you build the Indico package yourself and cannot upgrade for some reason, you can simply update the flask-multipass dependency to >=0.5.5 which fixes the vulnerability. You would do that by editing requirements.txt before building the package (see commit 7dcb573837), or possibly cherry-picking that particular commit.
Otherwise you could configure your web server to disallow requests containing a query string with a parameter that starts with javascript:

For more information

If you have any questions or comments about this advisory:

Open a thread in our forum
Email us privately at indico-team@cern.ch

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-45399

CVE-2024-45399:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-45399

GHSA ID

GHSA-rrqf-w74j-24ff

EPSS Score

0.44596%

CWE

CWE-79

Published

9/4/2024

Updated

9/25/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
indico	pip	< 3.3.4	3.3.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper validation of the 'next' URL parameter during account creation redirects. The patch in flask-multipass 0.5.5 (commit 0bdcf65) specifically adds a check for valid schemes (http/https) in validate_next_url. Indico's dependency on flask-multipass <0.5.5 allowed malicious 'javascript:' URLs to be accepted, leading to XSS. The vulnerable function resides in the flask-multipass dependency, which Indico uses for authentication flows.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-45399: Indico has a Cross-Site-Scripting during account creation

Impact

Patches

Workarounds

For more information

CVE-2024-45399:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.1

6.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2024-45399: Indico has a Cross-Site-Scripting during account creation

Impact

Patches

Workarounds

For more information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI