Description
OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_misc
https://pypi.org/project/omero-web/
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021
Patch, Third Party Advisory x_refsource_misc
https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c
Third Party Advisory x_refsource_confirm
https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr
Vendor Advisory x_refsource_misc
https://www.openmicroscopy.org/security/advisories/2021-SV2/
Scores
CVSS v3
4.8
EPSS
0.0031
EPSS Percentile
54.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-601
Status
published
Products (2)
openmicroscopy/omero.web
< 5.9.0
pypi/omero-web
0 - 5.9.0PyPI
Published
Mar 23, 2021
Tracked Since
Feb 18, 2026