CVE-2020-7932 Information

Description

OMERO.web before 5.6.3 optionally allows sensitive data elements (e.g. a session key) to be passed as URL query parameters. If an attacker tricks a user into clicking a malicious link in OMERO.web the information in the query parameters may be exposed in the Referer header seen by the target. Information in the URL path such as object IDs may also be exposed.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Reference

https://www.openmicroscopy.org/security/advisories/2019-SV4/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.7