Background
A variety of templates do not perform proper sanitization through HTML escaping.
Due to the lack of sanitization and use of jQuery.html(), there are a whole host of XSS possibilities with specially crafted input to a variety of fields.
Impact
OMERO.web before 5.11.0 and OMERO.figure before 4.4.1.
Patches
Users should upgrade OMERO.web to 5.11.0 or higher and OMERO.figure to 4.4.1 or higher.
Workarounds
None
Credit
Lachlan Horsey, Security Engineer at Griffith Cybersec team
References
For more information
If you have any questions or comments about this advisory:
Background
A variety of templates do not perform proper sanitization through HTML escaping.
Due to the lack of sanitization and use of
jQuery.html(), there are a whole host of XSS possibilities with specially crafted input to a variety of fields.Impact
OMERO.web before 5.11.0 and OMERO.figure before 4.4.1.
Patches
Users should upgrade OMERO.web to 5.11.0 or higher and OMERO.figure to 4.4.1 or higher.
Workarounds
None
Credit
Lachlan Horsey, Security Engineer at Griffith Cybersec team
References
For more information
If you have any questions or comments about this advisory: