CVE-2025-59035
- Source
- https://cve.org/CVERecord?id=CVE-2025-59035
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59035.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-59035
- Aliases
- Published
- 2025-09-10T16:03:36.573Z
- Modified
- 2026-04-10T05:31:42.368111Z
- Severity
-
- 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Indico vulnerable to Cross-Site Scripting via LaTeX math code
- Details
-
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as soon as possible. As a workaround, only let trustworthy users create content on Indico. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59035.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Git / github.com/indico/indico
Affected ranges
- Type
- GIT
- Repo
- https://github.com/indico/indico
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.97b
v0.97b2
v1.*
v1.9.11.dev3
v1.9.11.dev6
v1.9.11.dev7
v1.9.11.dev8
v1.9.11.dev9
v1.9.9
v2.*
v2.0a1
v2.0rc1
v2.1
v2.1a1
v2.1a2
v2.1a3
v2.1b1
v2.1rc1
v2.1rc2
v2.1rc3
v2.1rc4
v2.1rc5
v2.1rc6
v2.2
v2.3
v2.3.1
v3.*
v3.0
v3.0rc1
v3.0rc2
v3.2
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.6+docs
v3.3
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7