CVE-2021-41132 Information

Description

OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0 a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of jQuery.html() there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf https://www.openmicroscopy.org/security/advisories/2021-SV3/ https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1