affects OMERO.web versions 5.0.5 and earlier
Forms in OMERO.web are susceptible to CSRF attacks.
CSRF (cross-site request forgery) is also known as a one-click attack or session riding. It's a type of malicious exploit where unauthorized commands are transmitted from a user that the website trusts.
OMERO.web versions prior to 5.0.6.
If a user can be convinced or tricked into opening an untrusted webpage from a browser where they've previously logged into OMERO, the OMERO.web session can be reused to access OMERO as that user.
Due to the complexity of such an exploit, we do not consider this a critical security vulnerability.
Users should actively logout when finished working with OMERO.web and take care when accessing non-trusted websites.
All OMERO.servers should be upgraded to at least 5.0.6.
Leif Nixon for notifying the OME team of this security issue via our secure mailing list and filing a CVE (CVE-2014-7198).