CVE-2025-53640
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-14

Last updated on: 2025-09-15

Assigner: GitHub, Inc.

Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. Version 3.3.7 fixes the issue. Owners of instances that allow everyone to create a user account, who wish to truly restrict access to these user details, should consider restricting user search to managers. As a workaround, it is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-14
Last Modified
2025-09-15
Generated
2026-05-07
AI Q&A
2025-07-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53640
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cern indico From 2.2 (inc) to 3.3.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Indico, an event management system, involves an endpoint that displays user details such as name, affiliation, and email. In versions starting from 2.2 up to but not including 3.3.7, this endpoint could be misused to bulk dump basic user information. The issue is fixed in version 3.3.7. The vulnerability arises because the endpoint allows access to user details that should be restricted, especially if the instance allows everyone to create user accounts.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of user information such as names, affiliations, and emails in bulk. This could result in privacy breaches, unwanted exposure of user data, and potential misuse of this information by attackers. If your Indico instance allows open user account creation, sensitive user details could be accessed by unauthorized users.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability could negatively impact compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access to personal user information. Unauthorized bulk disclosure of user details may violate privacy and data protection requirements, potentially leading to regulatory penalties. To mitigate this, upgrading to version 3.3.7 or restricting access to the affected endpoints is recommended.


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate step is to upgrade Indico to version 3.3.7 or later, which fixes the issue. As a workaround, you can restrict access to the affected endpoints via webserver configuration, but this may break certain form fields that display user details. Additionally, if your instance allows everyone to create user accounts and you want to restrict access to user details, consider restricting user search functionality to managers only.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart