affects OMERO.web versions prior to 5.11.0, OMERO.figure versions prior to 4.4.1
Inconsistent input sanitization leads to XSS vectors.
A variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of jQuery.html(), there are a whole host of XSS possibilities with specially crafted input to a variety of fields. setting.
This vulnerability is identified as CVE-2021-41132 and GHSA-g67g-hvc3-xmvf.
OMERO.web before 5.11.0 and OMERO.figure before 4.4.1.
All OMERO.web deployments should be upgraded to at least 5.11.0. All OMERO.figure deployments should be upgraded to at least 4.4.1.
Lachlan Horsey, Security Engineer at Griffith Cybersec team for notifying the OME team of this security issue via