CVE-2025-59034
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-10

Last updated on: 2025-09-17

Assigner: GitHub, Inc.

Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, a legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. Users should to update to Indico 3.3.8 as soon as possible. As a workaround, it is possible to restrict access to the affected API (e.g. in the webserver config).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-10
Last Modified
2025-09-17
Generated
2026-06-16
AI Q&A
2025-09-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59034
EUVD
EUVD-2025-27579
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cern indico to 3.3.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59034 is a vulnerability in the Indico event management system where a legacy API has a broken access control check. This flaw allows users with low privileges to retrieve profile details of other users without needing admin permissions or user interaction. The issue is due to an authorization bypass through user-controlled keys, enabling unauthorized access to user data. It affects Indico versions prior to 3.3.8 and was fixed in version 3.3.8. [2]

Impact Analysis

This vulnerability can impact you by allowing attackers with low privileges to access personal profile information of other users without authorization. Although it does not affect data integrity or availability, it compromises confidentiality by exposing user details, which could lead to privacy violations or further targeted attacks. [2]

Compliance Impact

This vulnerability can negatively affect compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access to personal user information, potentially leading to data breaches and violations of privacy requirements mandated by these standards. [2]

Detection Guidance

This vulnerability involves unauthorized access to user details via a legacy API in Indico versions prior to 3.3.8. Detection can involve monitoring network traffic for requests to the legacy API endpoints that retrieve user profile details without proper authorization. Specific commands depend on your environment, but you can use tools like curl or wget to test access to the legacy API endpoints and check if user details can be retrieved without admin permissions. For example, a curl command to the legacy API endpoint could be used to verify if unauthorized data is accessible. Additionally, reviewing web server logs for unusual or unauthorized access patterns to the legacy API can help detect exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include updating Indico to version 3.3.8 or later, which contains the patch fixing this vulnerability. If updating immediately is not possible, restrict access to the affected legacy API via your web server configuration to prevent unauthorized access. This workaround typically does not affect functionality since the legacy API is likely unused. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59034. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart