CVE-2021-30185: 
Python vulnerability analysis and mitigation

CERN Indico before version 2.3.4 contained a security vulnerability where the application could use an attacker-supplied Host header in password reset links. This vulnerability was assigned CVE-2021-30185 and was disclosed in April 2021 (Release Notes).

The vulnerability allowed malicious actors to manipulate the Host header in requests, potentially causing Indico to generate password reset links pointing to an attacker-controlled domain instead of the legitimate Indico host. This vulnerability required user interaction, specifically clicking on an unrequested password reset link pointing to a domain different from where Indico was running (Release Notes).

If exploited, this vulnerability could help attackers make harmful URLs look more trustworthy by linking to Indico and having it redirect users to malicious sites. This could potentially lead to credential theft if users clicked on manipulated password reset links (Release Notes).

The vulnerability was fixed in Indico version 2.3.4 by enforcing the BASE_URL and rejecting requests whose Host header does not match. Organizations should upgrade to version 2.3.4 or later to protect against this vulnerability. As a workaround, configuring the webserver to enforce a canonical host name and reject or redirect unauthorized requests can help prevent exploitation (Release Notes).