Primary

Context

Indico Cross-Site Scripting Vulnerability in LaTeX Math Rendering

Vulnerability

Patched

A cross-site scripting vulnerability has been identified in Indico versions through 3.3.7. This issue arises when LaTeX math code is rendered in contribution or abstract descriptions, allowing for the injection of malicious scripts. The vulnerability is particularly concerning for conferences inviting external speakers to submit content, as organizers may not fully trust these contributors.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users are advised to update to Indico version 3.3.8. Instructions for updating can be found in the Indico documentation. As an additional step, consider restricting content creation to trustworthy users, especially when external speakers are involved.

Added: Sep 10, 2025, 4:22 PM

Updated: Sep 10, 2025, 4:22 PM

Vulnerability Rating

Custom Algorithm

spread

1.6

impact

1.7

exploitability

5.2

remediation

8.3

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.6

impact

1.7

exploitability

5.2

remediation

8.3

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Indico Cross-Site Scripting Vulnerability in LaTeX Math Rendering

Vulnerability

Impact

Remediation

Affected Products

Indico

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating