CVE-2021-21377

MEDIUM

OMERO.web < 5.9.0 - Open Redirect via Unvalidated URL Parameter

Title source: llm
STIX 2.1

Description

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.

References (5)

Core 5
Core References
Third Party Advisory x_refsource_misc
https://pypi.org/project/omero-web/
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021

Scores

CVSS v3 4.8
EPSS 0.0083
EPSS Percentile 53.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Details

CWE
CWE-601
Status published
Products (2)
openmicroscopy/omero.web < 5.9.0
pypi/omero-web 0 - 5.9.0PyPI
Published Mar 23, 2021
Tracked Since Feb 18, 2026