Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc0cmYtcGMyNi02aG1y

OMERO webclient does not validate URL redirects on login or switching group.

Background

OMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.

Impact

OMERO.web before 5.9.0

Patches

5.9.0

Workarounds

No workaround

References

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-g4rf-pc26-6hmr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc0cmYtcGMyNi02aG1y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago


Identifiers: GHSA-g4rf-pc26-6hmr, CVE-2021-21377
References: Repository: https://github.com/ome/omero-web
Blast Radius: 0.0

Affected Packages

pypi:omero-web
Dependent packages: 13
Dependent repositories: 24
Downloads: 1,080 last month
Affected Version Ranges: < 5.9.0
Fixed in: 5.9.0
All affected versions: 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.7.0, 5.7.1, 5.8.0, 5.8.1
All unaffected versions: 5.9.0, 5.9.1, 5.9.2, 5.10.0, 5.11.0, 5.12.0, 5.12.1, 5.13.0, 5.14.0, 5.14.1, 5.15.0, 5.16.0, 5.17.0, 5.18.0, 5.19.0, 5.20.0, 5.21.0, 5.22.0, 5.22.1, 5.23.0, 5.24.0, 5.25.0, 5.26.0