affects OMERO.server versions 5.1.0 to 5.6.0
OMERO does not fully restrict the actions of group owners to within their group.
OMERO allows group owners to perform various actions as another member of their group. In some cases, these actions are not restricted to the group they own.
OMERO 5.6.1 adds a server-side check that the session context for a group owner is limited to their groups.
This vulnerability is identified as CVE-2020-6752.
OMERO.server before 5.6.1.
All OMERO.servers should be upgraded to at least 5.6.1.