Vulnerabilites related to ome - omero-web
CVE-2021-21377 (GCVE-0-2021-21377)
Vulnerability from cvelistv5
Published
2021-03-23 15:25
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.795Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pypi.org/project/omero-web/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openmicroscopy.org/security/advisories/2021-SV2/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "omero-web",
"vendor": "ome",
"versions": [
{
"status": "affected",
"version": "\u003c 5.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-23T15:25:28",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pypi.org/project/omero-web/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openmicroscopy.org/security/advisories/2021-SV2/"
}
],
"source": {
"advisory": "GHSA-g4rf-pc26-6hmr",
"discovery": "UNKNOWN"
},
"title": "Open Redirect in OMERO.web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21377",
"STATE": "PUBLIC",
"TITLE": "Open Redirect in OMERO.web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "omero-web",
"version": {
"version_data": [
{
"version_value": "\u003c 5.9.0"
}
]
}
}
]
},
"vendor_name": "ome"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pypi.org/project/omero-web/",
"refsource": "MISC",
"url": "https://pypi.org/project/omero-web/"
},
{
"name": "https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021",
"refsource": "MISC",
"url": "https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021"
},
{
"name": "https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c",
"refsource": "MISC",
"url": "https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c"
},
{
"name": "https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr",
"refsource": "CONFIRM",
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr"
},
{
"name": "https://www.openmicroscopy.org/security/advisories/2021-SV2/",
"refsource": "MISC",
"url": "https://www.openmicroscopy.org/security/advisories/2021-SV2/"
}
]
},
"source": {
"advisory": "GHSA-g4rf-pc26-6hmr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21377",
"datePublished": "2021-03-23T15:25:28",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35180 (GCVE-0-2024-35180)
Vulnerability from cvelistv5
Published
2024-05-21 12:33
Modified
2024-08-02 03:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-830 - Inclusion of Web Functionality from an Untrusted Source
Summary
OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T15:13:29.799514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:34:51.270Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq"
},
{
"name": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "omero-web",
"vendor": "ome",
"versions": [
{
"status": "affected",
"version": "\u003c= 5.25.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-830",
"description": "CWE-830: Inclusion of Web Functionality from an Untrusted Source",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-21T12:33:02.639Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq"
},
{
"name": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa"
}
],
"source": {
"advisory": "GHSA-vr85-5pwx-c6gq",
"discovery": "UNKNOWN"
},
"title": "OMERO.web JSONP callback vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35180",
"datePublished": "2024-05-21T12:33:02.639Z",
"dateReserved": "2024-05-10T14:24:24.339Z",
"dateUpdated": "2024-08-02T03:07:46.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54791 (GCVE-0-2025-54791)
Vulnerability from cvelistv5
Published
2025-08-13 14:08
Modified
2025-08-13 14:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Summary
OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54791",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T14:25:17.275870Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T14:25:28.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "omero-web",
"vendor": "ome",
"versions": [
{
"status": "affected",
"version": "\u003c 5.29.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user\u0027s password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T14:08:19.607Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r"
},
{
"name": "https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad"
}
],
"source": {
"advisory": "GHSA-gpmg-4x4g-mr5r",
"discovery": "UNKNOWN"
},
"title": "OMERO.web displays unecessary user information when requesting to reset the password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54791",
"datePublished": "2025-08-13T14:08:19.607Z",
"dateReserved": "2025-07-29T16:50:28.394Z",
"dateUpdated": "2025-08-13T14:25:28.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41132 (GCVE-0-2021-41132)
Vulnerability from cvelistv5
Published
2021-10-14 15:45
Modified
2024-08-04 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openmicroscopy.org/security/advisories/2021-SV3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "omero-web",
"vendor": "ome",
"versions": [
{
"status": "affected",
"version": "\u003c 5.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-14T15:45:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openmicroscopy.org/security/advisories/2021-SV3/"
}
],
"source": {
"advisory": "GHSA-g67g-hvc3-xmvf",
"discovery": "UNKNOWN"
},
"title": "Inconsistent input sanitisation leads to XSS vectors",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41132",
"STATE": "PUBLIC",
"TITLE": "Inconsistent input sanitisation leads to XSS vectors"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "omero-web",
"version": {
"version_data": [
{
"version_value": "\u003c 5.11.0"
}
]
}
}
]
},
"vendor_name": "ome"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-116: Improper Encoding or Escaping of Output"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf",
"refsource": "CONFIRM",
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"
},
{
"name": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424",
"refsource": "MISC",
"url": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"
},
{
"name": "https://www.openmicroscopy.org/security/advisories/2021-SV3/",
"refsource": "MISC",
"url": "https://www.openmicroscopy.org/security/advisories/2021-SV3/"
}
]
},
"source": {
"advisory": "GHSA-g67g-hvc3-xmvf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41132",
"datePublished": "2021-10-14T15:45:12",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21376 (GCVE-0-2021-21376)
Vulnerability from cvelistv5
Published
2021-03-23 15:25
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Exposure
Summary
OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information exposure vulnerability. Some additional information being loaded is not used by the webclient and is being removed in this release. This is fixed in version 5.9.0.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-gfp2-w5jm-955q"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pypi.org/project/omero-web/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openmicroscopy.org/security/advisories/2021-SV1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "omero-web",
"vendor": "ome",
"versions": [
{
"status": "affected",
"version": "\u003c 5.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information exposure vulnerability. Some additional information being loaded is not used by the webclient and is being removed in this release. This is fixed in version 5.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-23T15:25:22",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-gfp2-w5jm-955q"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pypi.org/project/omero-web/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openmicroscopy.org/security/advisories/2021-SV1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c"
}
],
"source": {
"advisory": "GHSA-gfp2-w5jm-955q",
"discovery": "UNKNOWN"
},
"title": "Information Exposure in OMERO.web",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21376",
"STATE": "PUBLIC",
"TITLE": "Information Exposure in OMERO.web"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "omero-web",
"version": {
"version_data": [
{
"version_value": "\u003c 5.9.0"
}
]
}
}
]
},
"vendor_name": "ome"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information exposure vulnerability. Some additional information being loaded is not used by the webclient and is being removed in this release. This is fixed in version 5.9.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ome/omero-web/security/advisories/GHSA-gfp2-w5jm-955q",
"refsource": "CONFIRM",
"url": "https://github.com/ome/omero-web/security/advisories/GHSA-gfp2-w5jm-955q"
},
{
"name": "https://pypi.org/project/omero-web/",
"refsource": "MISC",
"url": "https://pypi.org/project/omero-web/"
},
{
"name": "https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021",
"refsource": "MISC",
"url": "https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021"
},
{
"name": "https://www.openmicroscopy.org/security/advisories/2021-SV1/",
"refsource": "MISC",
"url": "https://www.openmicroscopy.org/security/advisories/2021-SV1/"
},
{
"name": "https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c",
"refsource": "MISC",
"url": "https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c"
}
]
},
"source": {
"advisory": "GHSA-gfp2-w5jm-955q",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21376",
"datePublished": "2021-03-23T15:25:22",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}