CVE-2025-59034 MEDIUM

CVE-2025-59034: Indico may disclose unauthorized user details access via legacy API

Vendor Indico
Product indico
Weakness CWE-639 · IDOR
Published September 10, 2025
Last update September 11, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, a legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. Users should to update to Indico 3.3.8 as soon as possible. As a workaround, it is possible to restrict access to the affected API (e.g. in the webserver config).

Key dates

02Disclosure timeline

September 10, 2025 CVE published
September 11, 2025 Record updated