Background
There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is /webclient/imgData/.... As we only really use these endpoints with jQuery's own callback name generation 1 it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins.
Impact
OMERO.web before 5.25.0
Patches
Users should upgrade to 5.26.0 or higher
Workarounds
None
References
For more information
If you have any questions or comments about this advisory:
Open an issue in omero-web
Email us at security@openmicroscopy.org
References
Background
There is currently no escaping or validation of the
callbackparameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is/webclient/imgData/.... As we only really use these endpoints with jQuery's own callback name generation 1 it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins.Impact
OMERO.web before 5.25.0
Patches
Users should upgrade to 5.26.0 or higher
Workarounds
None
References
For more information
If you have any questions or comments about this advisory:
Open an issue in omero-web
Email us at security@openmicroscopy.org
References
Footnotes
https://learn.jquery.com/ajax/working-with-jsonp/ ↩