CVE-2024-35180

Summary

OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.

Affected Software

VendorProductVersion RangeStatus
omeomero-web<= 5.25.0affected

Weaknesses

  • CWE-830: CWE-830: Inclusion of Web Functionality from an Untrusted Source

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References