CVE-2021-41132 – omero-figure

Package

Manager: pip
Name: omero-figure
Vulnerable Version: >=0 <4.4.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00925 pctl0.75151

Details

Inconsistent input sanitisation leads to XSS vectors ### Background A variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of XSS possibilities with specially crafted input to a variety of fields. ### Impact OMERO.web before 5.11.0 and OMERO.figure before 4.4.1. ### Patches Users should upgrade OMERO.web to 5.11.0 or higher and OMERO.figure to 4.4.1 or higher.

Metadata

Created: 2021-10-14T21:19:23Z
Modified: 2024-10-08T12:42:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-g67g-hvc3-xmvf/GHSA-g67g-hvc3-xmvf.json
CWE IDs: ["CWE-116", "CWE-79"]
Alternative ID: GHSA-g67g-hvc3-xmvf
Finding: F008
Auto approve: 1