CVE-2023-37901: 
Python vulnerability analysis and mitigation

A Cross-Site-Scripting (XSS) vulnerability was discovered in Indico, an open source web-based event management tool, affecting versions prior to 3.2.6. The vulnerability (CVE-2023-37901) exists in confirmation prompts commonly used when deleting content from Indico. The issue was disclosed on July 20, 2023 (GitHub Advisory).

The vulnerability allows for Cross-Site-Scripting attacks through confirmation prompts used in the content deletion process. The exploitation requires an attacker to have at least submission privileges (such as a speaker) and relies on someone else attempting to delete the malicious content. The vulnerability is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (NVD).

If successfully exploited, an attacker could execute arbitrary script code in a victim's web browser within the context of the compromised interface. The risk is particularly significant when combined with social engineering tactics that could direct victims toward the malicious content. This is especially concerning for conferences conducting Call for Abstracts, where external speakers (who may not be fully trusted) are actively invited to submit content (GitHub Advisory).

The primary mitigation is to update to Indico version 3.2.6 or later. For users who cannot immediately upgrade, the recommended workaround is to only allow trustworthy users to manage categories, create events, or upload materials (submission privileges on a contribution/event). However, this workaround may not be practical for conferences with Call for Abstracts features where external speakers need submission access (GitHub Advisory).