affects OMERO.web versions prior to 5.9.0
OMERO webclient does not validate URL redirects on login or switching group.
OMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.
This vulnerability is identified as CVE-2021-21377 and GHSA-g4rf-pc26-6hmr.
OMERO.web before 5.9.0.
All OMERO.web should be upgraded to at least 5.9.0.
Teng Zheng for notifying the OME team of this security issue via security@openmicroscopy.org.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.11.14