affects OMERO.web versions prior to 5.9.0
OMERO.web exposes some unnecessary session information in the page.
OMERO.web loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. Some additional information being loaded is not used by the webclient and is being removed in this release.
This vulnerability is identified as CVE-2021-21376 and GHSA-gfp2-w5jm-955q.
OMERO.web before 5.9.0.
All OMERO.web should be upgraded to at least 5.9.0.