CVE-2024-35180 Information

Description

OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.

Reference

https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa