Xss vulnerabilities in 3.2.2


We’re migrating to indico 3.2.2, so I’ve installed this on a test server. A nessus scan of this server shows XSS issues, e.g.

  • The following resources may be vulnerable to HTML injection :
  • The ‘password’ parameter of the /login/ CGI :
    -------- output --------
    Content-Length: 6223
    Connection: keep-alive
    X-Indico-URL: /login/?password=<"awapoz%20>
    Set-Cookie: indico_session=f327e010-9ba2-42d9-bff5-e56613060660; E […]

(there are several pages of similar items).

Is this a real problem, and if so is there a fix or a workaround?

Thanks and regards,


Sorry, but where is the XSS there? Your scanner seems to consider ANY echoing a problem, but the URL being echo’d back in a header is no XSS risk whatsoever.

Thanks for the quick answer. I think that it is complaining that it gets put into the X-Indico-URL header. I think this is not an issue and the scanner is being over-careful. Can you confirm that it is not a problem?



Exactly, headers are not even rendered as HTML anywhere…