Skip to content

OMERO webclient does not validate URL redirects on login or switching group.

Moderate severity GitHub Reviewed Published Mar 17, 2021 in ome/omero-web • Updated Feb 1, 2023

Package

pip omero-web (pip)

Affected versions

< 5.9.0

Patched versions

5.9.0

Description

Background

OMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.

Impact

OMERO.web before 5.9.0

Patches

5.9.0

Workarounds

No workaround

References

For more information

If you have any questions or comments about this advisory:

References

@jburel jburel published to ome/omero-web Mar 17, 2021
Reviewed Mar 23, 2021
Published to the GitHub Advisory Database Mar 23, 2021
Published by the National Vulnerability Database Mar 23, 2021
Last updated Feb 1, 2023

Severity

Moderate

EPSS score

0.077%
(34th percentile)

Weaknesses

CVE ID

CVE-2021-21377

GHSA ID

GHSA-g4rf-pc26-6hmr

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.