Advisories for Pypi/Omero-Web package

2025

OMERO.web uses jquery-form library, which may be vulnerable to XSS attack

OMERO.web uses the jquery-form library throughout to handle form submission and response processing. Due to some unpatched potential vulnerabilities in jquery-form, OMERO.web 5.29.2 and earlier may be susceptible to XSS attacks.

OMERO.web displays unecessary user information when requesting password reset

OMERO.web before 5.29.1

2024

OMERO.web must check that the JSONP callback is a valid function

OMERO.web before 5.25.0

2022

OMERO-web Sensitive Data Exposure

OMERO.web before 5.6.3 optionally allows sensitive data elements (e.g., a session key) to be passed as URL query parameters. If an attacker tricks a user into clicking a malicious link in OMERO.web, the information in the query parameters may be exposed in the Referer header seen by the target. Information in the URL path such as object IDs may also be exposed.

2021

Advisories for Pypi/Omero-Web package

OMERO.web uses jquery-form library, which may be vulnerable to XSS attack

OMERO.web displays unecessary user information when requesting password reset

OMERO.web must check that the JSONP callback is a valid function

OMERO-web Sensitive Data Exposure

Inconsistent input sanitisation leads to XSS vectors

OMERO.web exposes some unnecessary session information in the page

OMERO webclient does not validate URL redirects on login or switching group.