Indico Event Management Series API Access Control Vulnerability

A vulnerability in Indico's event management system, specifically in versions prior to 3.3.11, allows unauthenticated and unauthorized access to the API endpoint that manages event series. This endpoint lacks proper access checks, enabling users to retrieve metadata (such as titles, category chains, and event dates) for events within a series, as well as to delete or modify existing event series. However, this vulnerability does not permit unauthorized access to detailed event content or the ability to alter user-visible data within events.

Impact

Exploitation of this vulnerability could lead to unauthorized access to event series metadata, deletion or modification of event series information, and, in cases where events have access restrictions, disclosure of restricted event titles and categories.

Remediation

Users are advised to update Indico to version 3.3.11 or later. Instructions for upgrading can be found in the Indico documentation. As an additional step, use a web server to restrict access to the event series management API endpoint.