Описание
OMERO.web displays unecessary user information when requesting password reset
Background
If an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user.
Impact
OMERO.web before 5.29.1
Patches
User should upgrade to 5.29.2 or higher
Workarounds
Disable the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property1.
Thanks to Christopher Youd who reported the issue.
Open an issue in omero-web Email us at security@openmicroscopy.org
Footnotes
Пакеты
omero-web
<= 5.29.1
5.29.2
Связанные уязвимости
OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property.