GoogleOSV:GHSA-VR85-5PWX-C6GQOMERO.web must check that the JSONP callback is a valid function
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
Background
There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is /webclient/imgData/.... As we only really use these endpoints with jQuery’s own callback name generation ^1 it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins.
Impact
OMERO.web before 5.25.0
Patches
Users should upgrade to 5.26.0 or higher
Workarounds
None
References
- https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call
- https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names
For more information
If you have any questions or comments about this advisory:
Open an issue in omero-web
Email us at [email protected]
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%