Indico Cross-Site Scripting Vulnerability in File Uploads

A cross-site scripting vulnerability has been identified in Indico, an event management system that utilizes Flask-Multipass for authentication. This issue affects versions prior to 3.3.10 and arises when certain file types are uploaded as materials. Users are advised to update to version 3.3.10, which includes a patch for this vulnerability. Additionally, those using nginx with Indico's 'STATIC_FILE_METHOD' set to 'xaccelredirect' should modify their webserver configuration to take advantage of the new default Content Security Policy for file downloads. Workarounds include applying a strict Content Security Policy for material download endpoints and restricting content creation privileges to trusted users.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users should update to Indico version 3.3.10. For instructions on how to update, consult the Indico documentation. If using nginx with Indico's 'STATIC_FILE_METHOD' set to 'xaccelredirect', add a line to the webserver configuration to include the Content-Security-Policy header for file downloads.