CVE-2021-21377 – omero-web

Package

Manager: pip
Name: omero-web
Vulnerable Version: >=0 <5.9.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00314 pctl0.53922

Details

OMERO webclient does not validate URL redirects on login or switching group. ### Background OMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the ``omero.web.redirect_allowed_hosts`` setting. ### Impact OMERO.web before 5.9.0 ### Patches 5.9.0 ### Workarounds No workaround ### References ### For more information If you have any questions or comments about this advisory: * Open an issue in [omero-web](https://github.com/ome/omero-web) * Email us at [security](mailto:security@openmicroscopy.org.uk)

Metadata

Created: 2021-03-23T15:26:49Z
Modified: 2024-10-08T12:43:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-g4rf-pc26-6hmr/GHSA-g4rf-pc26-6hmr.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-g4rf-pc26-6hmr
Finding: F156
Auto approve: 1