CVE-2025-59035: 
Python vulnerability analysis and mitigation

Indico, an event management system utilizing Flask-Multipass, was found to contain a Cross-Site-Scripting (XSS) vulnerability (CVE-2025-59035) affecting versions prior to 3.3.8. The vulnerability was discovered in September 2025 and involves the rendering of LaTeX math code in contribution or abstract descriptions (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires low privileges and user interaction, has unchanged scope, and can impact both confidentiality and integrity at a low level, with no impact on availability (GitHub Advisory).

The vulnerability allows for Cross-Site-Scripting attacks through LaTeX math code rendering in contribution or abstract descriptions. This could potentially lead to unauthorized access to user data and manipulation of web content, particularly concerning in conference settings where external speakers submit content (GitHub Advisory).

The primary mitigation is to update to Indico version 3.3.8, which contains the security fix. As a temporary workaround, administrators should restrict content creation to trustworthy users only. However, this workaround may not be practical for conferences conducting Call for Abstracts, where external speakers need to submit content (GitHub Release).