A variety of templates do not perform proper sanitization through HTML escaping.
Due to the lack of sanitization and use of jQuery.html()
, there are a whole host of XSS possibilities with specially crafted input to a variety of fields.
OMERO.web before 5.11.0 and OMERO.figure before 4.4.1.
Users should upgrade OMERO.web to 5.11.0 or higher and OMERO.figure to 4.4.1 or higher.