affects OMERO.web versions 5.9.0 and earlier
If an attacker tricks a user into clicking a malicious link in OMERO.web, the information in the URL and query parameters may be exposed in the referrer header seen by the target.
When a hyperlink on a webpage is clicked most browsers default to sending the full URL of the current page in the HTTP referrer header to the target server of the hyperlink. If the URL of the current page includes sensitive information, for example query parameters or object IDs, this information is sent in the referrer header and can be seen by the linked server.
This vulnerability is identified as CVE-2020-7932.
OMERO.web, all versions prior to 5.9.0.
All OMERO.web servers should be upgraded to at least 5.9.0. If your users are using Internet Explorer 11 (IE11) consider setting omero.web.html_meta_referrer to origin instead of the default origin-when-crossorigin which is not understood by IE11.
For additional information see:
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.11.14