Personal tools
  • We're Hiring!

You are here: Home Products OMERO Security Vulnerabilities 2014-SV3 CSRF

2014-SV3 CSRF

Web-related security vulnerability affecting OMERO5 versions up to and including 5.0.5.

Synopsis

Forms in OMERO.web are susceptible to CSRF attacks.

Background

CSRF (cross-site request forgery) is also known as a one-click attack or session riding. It's a type of malicious exploit where unauthorized commands are transmitted from a user that the website trusts.

Affected packages

OMERO.web versions prior to 5.0.6.

Impact

If a user can be convinced or tricked into opening an untrusted webpage from a browser where they've previously logged into OMERO, the OMERO.web session can be reused to access OMERO as that user.

Due to the complexity of such an exploit, we do not consider this a critical security vulnerability.

Workaround

Users should actively logout when finished working with OMERO.web and take care when accessing non-trusted websites.

Resolution

All OMERO.server users should upgrade to at least 5.0.6:

Thanks

Leif Nixon for notifying the OME team of this security issue via our secure mailing list [1] and filing a CVE [2].

[1] Details on the main security vulnerabilities page

[2] www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-7198

Document Actions