affects OMERO.web versions prior to 5.11.0, OMERO.figure versions prior to 4.4.1
Inconsistent input sanitization leads to XSS vectors.
A variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of jQuery.html(), there are a whole host of XSS possibilities with specially crafted input to a variety of fields. setting.
This vulnerability is identified as CVE-2021-41132 and GHSA-g67g-hvc3-xmvf.
OMERO.web before 5.11.0 and OMERO.figure before 4.4.1.
Low severity.
All OMERO.web deployments should be upgraded to at least 5.11.0. All OMERO.figure deployments should be upgraded to at least 4.4.1.
Lachlan Horsey, Security Engineer at Griffith Cybersec team for notifying the OME team of this security issue via security@openmicroscopy.org.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18