PT-2021-23116 · Omero.Web+2 · Omero.Web+2

Lachlan Horsey

Published

2021-10-14

Updated

2021-10-20

CVE-2021-41132

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OMERO.web versions prior to 5.11.0 OMERO.figure versions prior to 4.4.1

Description The issue arises from a lack of proper sanitization through HTML escaping in various templates, combined with the use of jQuery.html(). This leads to potential cross-site scripting possibilities when specially crafted input is provided to different fields.

Recommendations For OMERO.web versions prior to 5.11.0, upgrade to version 5.11.0 or higher. For OMERO.figure versions prior to 4.4.1, upgrade to version 4.4.1 or higher.

Fix

XSS

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-116

Related Identifiers

CVE-2021-41132

GHSA-G67G-HVC3-XMVF

PYSEC-2021-372

PYSEC-2021-379

Affected Products

Omero.Figure

Omero.Web

Jquery

PT-2021-23116 · Omero.Web+2 · Omero.Web+2

CVE-2021-41132

Weakness Enumeration

Related Identifiers

Affected Products

References · 12