2021-SV3 XSS vectors

affects OMERO.web versions prior to 5.11.0, OMERO.figure versions prior to 4.4.1

back to Advisories


Inconsistent input sanitization leads to XSS vectors.


A variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of jQuery.html(), there are a whole host of XSS possibilities with specially crafted input to a variety of fields. setting.

This vulnerability is identified as CVE-2021-41132 and GHSA-g67g-hvc3-xmvf.

Affected Packages

OMERO.web before 5.11.0 and OMERO.figure before 4.4.1.


Low severity.


All OMERO.web deployments should be upgraded to at least 5.11.0. All OMERO.figure deployments should be upgraded to at least 4.4.1.


Lachlan Horsey, Security Engineer at Griffith Cybersec team for notifying the OME team of this security issue via security@openmicroscopy.org.

back to top