CVE-2026-25739

描述

### Impact There is a Cross-Site-Scripting vulnerability when uploading certain file types as materials. ### Patches You should to update to [Indico 3.3.10](https://github.com/indico/indico/releases/tag/v3.3.10) as soon as possible. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update. Please be aware that to apply the fix itself updating is sufficient, but to benefit from the strict Content-Security-Policy we now apply by default for file downloads, you need to update your webserver config in case you use nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect` and add the following line to the `.xsf/indico/` location block (you can consult the Indico setup documentation for the full configuration snippet): ```nginx add_header Content-Security-Policy $upstream_http_content_security_policy; ``` ### Workarounds - Use your webserver config to apply a strict CSP for material download endpoints. - Only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico. ### For more information If you have any questions or comments about this advisory: - Open a thread in [our forum](https://talk.getindico.io/) - Email us privately at [[email protected]](mailto:[email protected])

受影響套件(1)

• PyPI/indicofrom 0, < 3.3.10

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-25739
• PATCHhttps://github.com/indico/indico
• WEBhttps://github.com/indico/indico/releases/tag/v3.3.10
• WEBhttps://github.com/indico/indico/security/advisories/GHSA-jxc4-54g3-j7vp