CVE-2025-54791 – omero-web

Package

Manager: pip
Name: omero-web
Vulnerable Version: >=0 <5.29.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00036 pctl0.09055

Details

OMERO.web displays unecessary user information when requesting password reset ### Background If an error occurred when resetting a user's password using the ``Forgot Password`` option in OMERO.web, the error message displayed on the Web page can disclose information about the user. ### Impact OMERO.web before 5.29.1 ### Patches User should upgrade to 5.29.2 or higher ### Workarounds Disable the ``Forgot password`` option in OMERO.web using the ``omero.web.show_forgot_password`` configuration property[^1]. Thanks to Christopher Youd who reported the issue. Open an issue in [omero-web](https://github.com/ome/omero-web) Email us at [security@openmicroscopy.org](mailto:security@openmicroscopy.org) [^1]: https://omero.readthedocs.io/en/stable/sysadmins/config.html#omero.web.show_forgot_password

Metadata

Created: 2025-08-13T18:47:35Z
Modified: 2025-08-27T14:29:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gpmg-4x4g-mr5r/GHSA-gpmg-4x4g-mr5r.json
CWE IDs: ["CWE-209"]
Alternative ID: GHSA-gpmg-4x4g-mr5r
Finding: F037
Auto approve: 1