CVE-2021-21377 Information

Jun 07, 2022 cve

Description

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid unless specified in the omero.web.redirect_allowed_hosts setting.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021 https://pypi.org/project/omero-web/ https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c https://www.openmicroscopy.org/security/advisories/2021-SV2/ https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4

Share on: