affects OMERO.web versions 5.9.0 and earlier
If an attacker tricks a user into clicking a malicious link in OMERO.web, the information in the URL and query parameters may be exposed in the referrer header seen by the target.
When a hyperlink on a webpage is clicked most browsers default to sending the full URL of the current page in the HTTP referrer header to the target server of the hyperlink. If the URL of the current page includes sensitive information, for example query parameters or object IDs, this information is sent in the referrer header and can be seen by the linked server.
This vulnerability is identified as CVE-2020-7932.
OMERO.web, all versions prior to 5.9.0.
All OMERO.web servers should be upgraded to at least 5.9.0. If your users are using Internet Explorer 11 (IE11) consider setting omero.web.html_meta_referrer to origin instead of the default origin-when-crossorigin which is not understood by IE11.
For additional information see: