Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-c98b-cth4-1yf3

Summary

Indico vulnerability allows attackers to bulk dump user details
An endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk.

Aliases

alias	CVE-2025-53640

alias	GHSA-q28v-664f-q6wj

Fixed_packages

url	pkg:pypi/indico@3.3.7
purl	pkg:pypi/indico@3.3.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.7

Affected_packages

url pkg:pypi/indico@2.2

purl pkg:pypi/indico@2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3ev2-cjep-w3fd

vulnerability	VCID-c98b-cth4-1yf3

vulnerability	VCID-cjkd-nkad-b7a8

vulnerability	VCID-n2kf-a5f2-h7d2

vulnerability	VCID-u63h-ajt2-tbft

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/indico@2.2

References

reference_url

https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH

reference_url

https://docs.getindico.io/en/stable/installation/upgrade

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://docs.getindico.io/en/stable/installation/upgrade

reference_url

https://github.com/indico/indico

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/indico/indico

reference_url

https://github.com/indico/indico/pull/6936/commits/f8583557a3da56aeea8857ae69bf17c9066c95c1

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/indico/indico/pull/6936/commits/f8583557a3da56aeea8857ae69bf17c9066c95c1

reference_url

https://github.com/indico/indico/releases/tag/v3.3.7

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/indico/indico/releases/tag/v3.3.7

reference_url

https://www.vicarius.io/vsociety/posts/cve202553640-detect-indico-vulnerability

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.vicarius.io/vsociety/posts/cve202553640-detect-indico-vulnerability

reference_url

https://www.vicarius.io/vsociety/posts/cve202553640-mitigate-indico-vulnerability

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.vicarius.io/vsociety/posts/cve202553640-mitigate-indico-vulnerability

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-53640

reference_id

CVE-2025-53640

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-53640

reference_url	https://github.com/advisories/GHSA-q28v-664f-q6wj
reference_id	GHSA-q28v-664f-q6wj
reference_type
scores
url	https://github.com/advisories/GHSA-q28v-664f-q6wj

reference_url

https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj

reference_id

GHSA-q28v-664f-q6wj

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj

Weaknesses

cwe_id	200
name	Exposure of Sensitive Information to an Unauthorized Actor
description	The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

cwe_id	639
name	Authorization Bypass Through User-Controlled Key
description	The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

cwe_id	862
name	Missing Authorization
description	The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 4.0 - 6.9

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c98b-cth4-1yf3

Vulnerability Instance