Open Redirect in OMERO.web
CVE-2021-21377

4.8MEDIUM

Key Information:

Vendor: Ome
Status: Omero-web
Vendor: CVE Published:; 23 March 2021

What is CVE-2021-21377?

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.

Affected Version(s)

omero-web < 5.9.0

References

https://pypi.org/project/omero-web/

x_refsource_MISC

https://github.com/ome/omero-web/blob/master/CHANGELOG.md...

x_refsource_MISC

https://github.com/ome/omero-web/commit/952f8e5d28532fbb1...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2021
Vulnerability Reserved
Dec 22, 2020

Ome

What is CVE-2021-21377?

Affected Version(s)

References

CVSS V3.1

Timeline