Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-45399
Summary
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico versions prior to 3.3.4, corresponding to Flask-Multipass versions prior to 0.5.5, there is a Cross-Site-Scripting (XSS) vulnerability during account creation when redirecting to the "next" URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users. Indico upgrades the dependency on Flask-Multipass, which fixes the issue. Those who build the Indico package themselves and cannot upgrade can update the "flask-multipass" dependency, which fixes the vulnerability. Otherwise, one could configure one's web server to disallow requests containing a query string with a "next" parameter that starts with "javascript".
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- NONE
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published
