CVE-2024-35180

MEDIUM EPSS 20.8%
Published May 21, 20242y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published May 21, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
20.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-830

Affected Products 1

VendorProductVersionRange
openmicroscopyomero-web* <5.26.0

References 2

  • github.com https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa
    Patch
  • github.com https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq
    Vendor Advisory

Remediation

  • github.com https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa
    Patch