GHSA-vr85-5pwx-c6gq

Suggest an improvement
Source
https://github.com/advisories/GHSA-vr85-5pwx-c6gq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-vr85-5pwx-c6gq/GHSA-vr85-5pwx-c6gq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vr85-5pwx-c6gq
Aliases
Published
2024-05-21T14:33:23Z
Modified
2024-05-21T15:56:59.065119Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
OMERO.web must check that the JSONP callback is a valid function
Details

Background

There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is /webclient/imgData/.... As we only really use these endpoints with jQuery's own callback name generation [^1] it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins.

Impact

OMERO.web before 5.25.0

Patches

Users should upgrade to 5.26.0 or higher

Workarounds

None

References

  • https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call
  • https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names

For more information If you have any questions or comments about this advisory:

Open an issue in omero-web Email us at security@openmicroscopy.org

References

Affected packages

PyPI / omero-web

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.26.0

Affected versions

5.*

5.5.dev1
5.5.dev2
5.6.dev1
5.6.dev2
5.6.dev3
5.6.dev4
5.6.dev5
5.6.dev6
5.6.dev7
5.6.0
5.6.1
5.6.2
5.6.3
5.7.0
5.7.1
5.8.0
5.8.1
5.9.0
5.9.1
5.9.2
5.10.0
5.11.0rc1
5.11.0
5.12.0
5.12.1
5.13.0
5.14.0rc1
5.14.0
5.14.1
5.15.0
5.16.0
5.17.0
5.18.0
5.19.0
5.20.0
5.21.0
5.22.0
5.22.1
5.23.0
5.23.1.dev0
5.24.0
5.25.0