CVE-2025-59034
MEDIUM4.3EPSS 0.05%Indico may disclose unauthorized user details access via legacy API
Description
### Impact A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. ### Patches You should to update to [Indico 3.3.8](https://github.com/indico/indico/releases/tag/v3.3.8) as soon as possible. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update. ### Workarounds It is possible to restrict access to the affected API (e.g. in the webserver config) which is most likely unused anyway and thus will not break anything. ### For more information If you have any questions or comments about this advisory: - Open a thread in [our forum](https://talk.getindico.io/) - Email us privately at [[email protected]](mailto:[email protected])
Affected packages (1)
- PyPI/indicofrom 0, < 3.3.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |