CVE-2021-41132

Опубликовано: 14 окт. 2021

Источник: nvd

CVSS3: 9.8

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of jQuery.html(), there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading.

Ссылки

https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424
Patch
Third Party Advisory
https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf
Third Party Advisory
https://www.openmicroscopy.org/security/advisories/2021-SV3/
Vendor Advisory
https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424
Patch
Third Party Advisory
https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf
Third Party Advisory
https://www.openmicroscopy.org/security/advisories/2021-SV3/
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:openmicroscopy:omero-figure:*:*:*:*:*:*:*:*

Версия до 4.4.1 (исключая)

cpe:2.3:a:openmicroscopy:omero-web:*:*:*:*:*:*:*:*

Версия до 5.11.0 (исключая)

EPSS

Процентиль: 68%

0.00558

Низкий

9.8 Critical

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-116

CWE-79

Связанные уязвимости

GHSA-g67g-hvc3-xmvf

CVSS3: 9.8

github

больше 4 лет назад

Inconsistent input sanitisation leads to XSS vectors

EPSS

Процентиль: 68%

0.00558

Низкий

9.8 Critical

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-116

CWE-79