CVE-2024-35180 – omero-web

Package

Manager: pip
Name: omero-web
Vulnerable Version: >=0 <5.26.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00213 pctl0.43825

Details

OMERO.web must check that the JSONP callback is a valid function ### Background There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is `/webclient/imgData/...`. As we only really use these endpoints with jQuery's own callback name generation [^1] it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins. [^1]: https://learn.jquery.com/ajax/working-with-jsonp/ ### Impact OMERO.web before 5.25.0 ### Patches Users should upgrade to 5.26.0 or higher ### Workarounds None ### References * https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call * https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names For more information If you have any questions or comments about this advisory: Open an issue in [omero-web](https://github.com/ome/omero-web) Email us at [security@openmicroscopy.org](mailto:security@openmicroscopy.org)

Metadata

Created: 2024-05-21T14:33:23Z
Modified: 2024-05-21T15:39:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-vr85-5pwx-c6gq/GHSA-vr85-5pwx-c6gq.json
CWE IDs: ["CWE-830"]
Alternative ID: GHSA-vr85-5pwx-c6gq
Finding: F184
Auto approve: 1