affects OMERO.web versions 5.0.5 and earlier
Forms in OMERO.web are susceptible to CSRF attacks.
CSRF (cross-site request forgery) is also known as a one-click attack or session riding. It's a type of malicious exploit where unauthorized commands are transmitted from a user that the website trusts.
OMERO.web versions prior to 5.0.6.
If a user can be convinced or tricked into opening an untrusted webpage from a browser where they've previously logged into OMERO, the OMERO.web session can be reused to access OMERO as that user.
Due to the complexity of such an exploit, we do not consider this a critical security vulnerability.
Users should actively logout when finished working with OMERO.web and take care when accessing non-trusted websites.
All OMERO.servers should be upgraded to at least 5.0.6.
Leif Nixon for notifying the OME team of this security issue via our secure mailing list and filing a CVE (CVE-2014-7198).
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18