Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for omero-web by openmicroscopy

    CVE-2025-54791 (GCVE-0-2025-54791)

    Vulnerability from nvd – Published: 2025-08-13 14:08 – Updated: 2025-08-13 14:25
    VLAI
    Title
    OMERO.web displays unecessary user information when requesting to reset the password
    Summary
    OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    ome omero-web Affected: < 5.29.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54791",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-13T14:25:17.275870Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-13T14:25:28.402Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "omero-web",
              "vendor": "ome",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.29.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user\u0027s password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-13T14:08:19.607Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r"
            },
            {
              "name": "https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad"
            }
          ],
          "source": {
            "advisory": "GHSA-gpmg-4x4g-mr5r",
            "discovery": "UNKNOWN"
          },
          "title": "OMERO.web displays unecessary user information when requesting to reset the password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54791",
        "datePublished": "2025-08-13T14:08:19.607Z",
        "dateReserved": "2025-07-29T16:50:28.394Z",
        "dateUpdated": "2025-08-13T14:25:28.402Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-35180 (GCVE-0-2024-35180)

    Vulnerability from nvd – Published: 2024-05-21 12:33 – Updated: 2024-08-02 03:07
    VLAI
    Title
    OMERO.web JSONP callback vulnerability
    Summary
    OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-830 - Inclusion of Web Functionality from an Untrusted Source
    Assigner
    References
    Impacted products
    Vendor Product Version
    ome omero-web Affected: <= 5.25.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-35180",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-21T15:13:29.799514Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:34:51.270Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:07:46.755Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq"
              },
              {
                "name": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "omero-web",
              "vendor": "ome",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 5.25.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-830",
                  "description": "CWE-830: Inclusion of Web Functionality from an Untrusted Source",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-21T12:33:02.639Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq"
            },
            {
              "name": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa"
            }
          ],
          "source": {
            "advisory": "GHSA-vr85-5pwx-c6gq",
            "discovery": "UNKNOWN"
          },
          "title": "OMERO.web JSONP callback vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-35180",
        "datePublished": "2024-05-21T12:33:02.639Z",
        "dateReserved": "2024-05-10T14:24:24.339Z",
        "dateUpdated": "2024-08-02T03:07:46.755Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41132 (GCVE-0-2021-41132)

    Vulnerability from nvd – Published: 2021-10-14 15:45 – Updated: 2024-08-04 02:59
    VLAI
    Title
    Inconsistent input sanitisation leads to XSS vectors
    Summary
    OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading.
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Vendor Product Version
    ome omero-web Affected: < 5.11.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T02:59:31.416Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.openmicroscopy.org/security/advisories/2021-SV3/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "omero-web",
              "vendor": "ome",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.11.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116: Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-14T15:45:12.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.openmicroscopy.org/security/advisories/2021-SV3/"
            }
          ],
          "source": {
            "advisory": "GHSA-g67g-hvc3-xmvf",
            "discovery": "UNKNOWN"
          },
          "title": "Inconsistent input sanitisation leads to XSS vectors",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-41132",
              "STATE": "PUBLIC",
              "TITLE": "Inconsistent input sanitisation leads to XSS vectors"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "omero-web",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 5.11.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ome"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-116: Improper Encoding or Escaping of Output"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"
                },
                {
                  "name": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424",
                  "refsource": "MISC",
                  "url": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"
                },
                {
                  "name": "https://www.openmicroscopy.org/security/advisories/2021-SV3/",
                  "refsource": "MISC",
                  "url": "https://www.openmicroscopy.org/security/advisories/2021-SV3/"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-g67g-hvc3-xmvf",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-41132",
        "datePublished": "2021-10-14T15:45:12.000Z",
        "dateReserved": "2021-09-15T00:00:00.000Z",
        "dateUpdated": "2024-08-04T02:59:31.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54791 (GCVE-0-2025-54791)

    Vulnerability from cvelistv5 – Published: 2025-08-13 14:08 – Updated: 2025-08-13 14:25
    VLAI
    Title
    OMERO.web displays unecessary user information when requesting to reset the password
    Summary
    OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    ome omero-web Affected: < 5.29.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54791",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-13T14:25:17.275870Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-13T14:25:28.402Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "omero-web",
              "vendor": "ome",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.29.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user\u0027s password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-13T14:08:19.607Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r"
            },
            {
              "name": "https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad"
            }
          ],
          "source": {
            "advisory": "GHSA-gpmg-4x4g-mr5r",
            "discovery": "UNKNOWN"
          },
          "title": "OMERO.web displays unecessary user information when requesting to reset the password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54791",
        "datePublished": "2025-08-13T14:08:19.607Z",
        "dateReserved": "2025-07-29T16:50:28.394Z",
        "dateUpdated": "2025-08-13T14:25:28.402Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-35180 (GCVE-0-2024-35180)

    Vulnerability from cvelistv5 – Published: 2024-05-21 12:33 – Updated: 2024-08-02 03:07
    VLAI
    Title
    OMERO.web JSONP callback vulnerability
    Summary
    OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-830 - Inclusion of Web Functionality from an Untrusted Source
    Assigner
    References
    Impacted products
    Vendor Product Version
    ome omero-web Affected: <= 5.25.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-35180",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-21T15:13:29.799514Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:34:51.270Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:07:46.755Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq"
              },
              {
                "name": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "omero-web",
              "vendor": "ome",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 5.25.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-830",
                  "description": "CWE-830: Inclusion of Web Functionality from an Untrusted Source",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-21T12:33:02.639Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq"
            },
            {
              "name": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa"
            }
          ],
          "source": {
            "advisory": "GHSA-vr85-5pwx-c6gq",
            "discovery": "UNKNOWN"
          },
          "title": "OMERO.web JSONP callback vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-35180",
        "datePublished": "2024-05-21T12:33:02.639Z",
        "dateReserved": "2024-05-10T14:24:24.339Z",
        "dateUpdated": "2024-08-02T03:07:46.755Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41132 (GCVE-0-2021-41132)

    Vulnerability from cvelistv5 – Published: 2021-10-14 15:45 – Updated: 2024-08-04 02:59
    VLAI
    Title
    Inconsistent input sanitisation leads to XSS vectors
    Summary
    OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading.
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Vendor Product Version
    ome omero-web Affected: < 5.11.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T02:59:31.416Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.openmicroscopy.org/security/advisories/2021-SV3/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "omero-web",
              "vendor": "ome",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.11.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116: Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-14T15:45:12.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.openmicroscopy.org/security/advisories/2021-SV3/"
            }
          ],
          "source": {
            "advisory": "GHSA-g67g-hvc3-xmvf",
            "discovery": "UNKNOWN"
          },
          "title": "Inconsistent input sanitisation leads to XSS vectors",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-41132",
              "STATE": "PUBLIC",
              "TITLE": "Inconsistent input sanitisation leads to XSS vectors"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "omero-web",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 5.11.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ome"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-116: Improper Encoding or Escaping of Output"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"
                },
                {
                  "name": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424",
                  "refsource": "MISC",
                  "url": "https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"
                },
                {
                  "name": "https://www.openmicroscopy.org/security/advisories/2021-SV3/",
                  "refsource": "MISC",
                  "url": "https://www.openmicroscopy.org/security/advisories/2021-SV3/"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-g67g-hvc3-xmvf",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-41132",
        "datePublished": "2021-10-14T15:45:12.000Z",
        "dateReserved": "2021-09-15T00:00:00.000Z",
        "dateUpdated": "2024-08-04T02:59:31.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }