Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-vr85-5pwx-c6gq: OMERO.web must check that the JSONP callback is a valid function

Background

There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is /webclient/imgData/.... As we only really use these endpoints with jQuery’s own callback name generation [1] it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins.

Impact

OMERO.web before 5.25.0

Patches

Users should upgrade to 5.26.0 or higher

Workarounds

None

References

  • https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call
  • https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names

For more information If you have any questions or comments about this advisory:

Open an issue in omero-web Email us at [email protected]


  1. https://learn.jquery.com/ajax/working-with-jsonp/

ghsa
#web#js#git#java

Package

pip omero-web (pip)

Affected versions

< 5.26.0

Patched versions

5.26.0

Description

Background

There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is /webclient/imgData/… As we only really use these endpoints with jQuery’s own callback name generation 1 it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins.

Impact

OMERO.web before 5.25.0

Patches

Users should upgrade to 5.26.0 or higher

Workarounds

None

References

  • https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call
  • https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names

For more information
If you have any questions or comments about this advisory:

Open an issue in omero-web
Email us at [email protected]

References

  • GHSA-vr85-5pwx-c6gq
  • ome/omero-web@d41207c

Footnotes

  1. https://learn.jquery.com/ajax/working-with-jsonp/ ↩

jburel published to ome/omero-web

May 21, 2024

Published to the GitHub Advisory Database

May 21, 2024

Reviewed

May 21, 2024

Last updated

May 21, 2024

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP