CVE-2024-35180
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ome | omero-web | <= 5.25.0 | affected |
Weaknesses
- CWE-830: CWE-830: Inclusion of Web Functionality from an Untrusted Source
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq
- https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa
References
- https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq
- https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.