PyPi: Omero-Web

CVE-2024-35180

Safety vulnerability ID: 71090

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at May 21, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Omero-web version 5.26.0 addresses a critical security vulnerability (CVE-2024-35180) by validating the JSONP callback parameter. Previously, OMERO.web endpoints with JSONP enabled, such as `/webclient/imgData/`, lacked escaping or validation for the callback parameter, which could be exploited if not properly managed. Although this vulnerability is hard to exploit in the default OMERO.web setup due to jQuery's callback name generation, it poses a significant risk for plugins using these metadata endpoints.

Affected package

omero-web

Latest version: 5.28.0

OMERO.web

Affected versions

Fixed versions

Vulnerability changelog

-----------------

Features

- Plate acquisition filtering with plate display [542](https://github.com/ome/omero-web/pull/542)
- Block user interface for some long-running tasks [543](https://github.com/ome/omero-web/pull/543)

Other changes

- Reviewed instructions to use conda-forge channel [533](https://github.com/ome/omero-web/pull/533)
- Remove non-performant cache [549](https://github.com/ome/omero-web/pull/549)
- Validate JSONP callback parameter [CVE-2024-35180](https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq)

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35180

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application