Inconsistent input sanitisation leads to XSS vectors
Description
Published by the National Vulnerability Database
Oct 14, 2021
Reviewed
Oct 14, 2021
Published to the GitHub Advisory Database
Oct 14, 2021
Last updated
Sep 7, 2023
Background
A variety of templates do not perform proper sanitization through HTML escaping.
Due to the lack of sanitization and use of
jQuery.html()
, there are a whole host of XSS possibilities with specially crafted input to a variety of fields.Impact
OMERO.web before 5.11.0 and OMERO.figure before 4.4.1.
Patches
Users should upgrade OMERO.web to 5.11.0 or higher and OMERO.figure to 4.4.1 or higher.
References