CVE-2024-35180

Name of the Vulnerable Software and Affected Versions OMERO.web versions prior to 5.26.0

Description The issue is related to the lack of escaping or validation of the callback parameter in OMERO.web endpoints with JSONP enabled. This affects various endpoints, including /webclient/imgData/.... Although it is difficult to exploit in vanilla OMERO.web, the vulnerability could be exploited in plugins that use these metadata endpoints.

Recommendations For versions prior to 5.26.0, upgrade to version 5.26.0 or higher to resolve the issue. As a temporary workaround, consider restricting access to endpoints with JSONP enabled until the upgrade is applied. Avoid using the callback parameter in affected API endpoints until the issue is resolved.