{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-16T22:40:34.842","vulnerabilities":[{"cve":{"id":"CVE-2025-59035","sourceIdentifier":"security-advisories@github.com","published":"2025-09-10T16:15:41.323","lastModified":"2025-09-17T21:23:56.843","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as soon as possible. As a workaround, only let trustworthy users create content on Indico. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows."},{"lang":"es","value":"Indico es un sistema de gestión de eventos que utiliza Flask-Multipass, un sistema de autenticación multi-backend para Flask. Antes de la versión 3.3.8, existe una vulnerabilidad de Cross-Site-Scripting al renderizar código matemático LaTeX en descripciones de contribuciones o resúmenes. Los usuarios deberían actualizar a Indico 3.3.8 lo antes posible. Como solución alternativa, solo permita que usuarios de confianza creen contenido en Indico. Tenga en cuenta que una conferencia que realiza una Convocatoria de Resúmenes invita activamente a ponentes externos (a quienes los organizadores quizás no conozcan y, por lo tanto, no puedan confiar plenamente) a enviar contenido, de ahí la necesidad de actualizar a una versión corregida lo antes posible, en particular al utilizar dichos flujos de trabajo."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N","baseScore":4.6,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:cern:indico:*:*:*:*:*:*:*:*","versionEndExcluding":"3.3.8","matchCriteriaId":"9763A025-1F04-491A-AA56-DE5C785E7D05"}]}]}],"references":[{"url":"https://github.com/indico/indico/releases/tag/v3.3.8","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/indico/indico/security/advisories/GHSA-7cf7-9wrr-vrf4","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}