CVE-2025-59035 – This CVE describes a Cross-Site Scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-59035?

CVE-2025-59035 has a CVSS score of 4.6 (MEDIUM). This CVE describes a Cross-Site Scripting (XSS) vulnerability in Indico event management system versions prior to 3.3.8. The vulnerability allows attackers to inject malicious scripts when LaTeX math code is rendered in contribution or abstract descriptions. All Indico instances using vulnerable versions are affected, particularly those with public content submission features like Call for Abstracts workflows.

📋 TL;DR

This CVE describes a Cross-Site Scripting (XSS) vulnerability in Indico event management system versions prior to 3.3.8. The vulnerability allows attackers to inject malicious scripts when LaTeX math code is rendered in contribution or abstract descriptions. All Indico instances using vulnerable versions are affected, particularly those with public content submission features like Call for Abstracts workflows.

💻 Affected Systems

Products:

Indico

Versions: All versions prior to 3.3.8

Operating Systems: All operating systems running Indico

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability specifically affects the LaTeX math rendering functionality in contribution and abstract descriptions. Systems using Flask-Multipass for authentication are affected.

📦 What is this software?

Indico by Cern

View all CVEs affecting Indico →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface content, or redirect users to malicious sites, potentially compromising user accounts and sensitive conference data.

🟠

Likely Case

Attackers inject malicious scripts that execute in victims' browsers, potentially stealing session tokens or performing unauthorized actions within the victim's permissions.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized and rendered as harmless text rather than executable code.

🌐 Internet-Facing: HIGH - Indico is typically deployed as a web application accessible over the internet, and the vulnerability affects content submission features that may be publicly accessible.

🏢 Internal Only: MEDIUM - Even internally deployed instances could be vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the ability to submit content with LaTeX math code. The advisory suggests attackers could be external speakers submitting abstracts through Call for Abstracts workflows.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.8

Vendor Advisory: https://github.com/indico/indico/security/advisories/GHSA-7cf7-9wrr-vrf4

Restart Required: No

Instructions:

1. Backup your Indico instance and database. 2. Update Indico to version 3.3.8 or later using pip: 'pip install indico>=3.3.8'. 3. Verify the update completed successfully. 4. Test LaTeX rendering functionality.

🔧 Temporary Workarounds

Restrict content creation

all

Only allow trusted users to create content with LaTeX math code in contribution or abstract descriptions

🧯 If You Can't Patch

Implement strict content moderation for all user-submitted content containing LaTeX
Deploy a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if your Indico version is below 3.3.8 and if LaTeX rendering is enabled in contribution/abstract descriptions

Check Version:

python -c "import indico; print(indico.__version__)" or check the Indico web interface admin panel

Verify Fix Applied:

After updating to 3.3.8 or later, test LaTeX rendering with sample content containing potential XSS payloads to ensure they are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual LaTeX content submissions
Multiple failed LaTeX rendering attempts
Suspicious content in abstract/contribution submissions

Network Indicators:

Unexpected script tags in rendered LaTeX content
External resource loading from LaTeX-rendered pages

SIEM Query:

source="indico" AND ("LaTeX" OR "math") AND ("script" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2025-59035

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7.6th percentile)

Published: September 10, 2025

Last Updated: September 17, 2025

🔗 References

https://github.com/indico/indico/releases/tag/v3.3.8 Release Notes
https://github.com/indico/indico/security/advisories/GHSA-7cf7-9wrr-vrf4 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59035, you might also want to check these: