{"id":"GHSA-vr85-5pwx-c6gq","summary":"OMERO.web must check that the JSONP callback is a valid function","details":"### Background\n\nThere is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is `/webclient/imgData/...`. As we only really use these endpoints with jQuery's own callback name generation [^1] it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins.\n\n[^1]: https://learn.jquery.com/ajax/working-with-jsonp/\n\n### Impact\nOMERO.web before 5.25.0\n\n### Patches\nUsers should upgrade to 5.26.0 or higher\n### Workarounds\n\nNone\n\n### References\n* https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call\n* https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names\n\nFor more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [omero-web](https://github.com/ome/omero-web)\nEmail us at [security@openmicroscopy.org](mailto:security@openmicroscopy.org)\n","aliases":["CVE-2024-35180"],"modified":"2024-05-21T15:56:59.065119Z","published":"2024-05-21T14:33:23Z","related":["CVE-2024-35180"],"database_specific":{"github_reviewed_at":"2024-05-21T14:33:23Z","severity":"MODERATE","cwe_ids":["CWE-830"],"nvd_published_at":"2024-05-21T13:15:08Z","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35180"},{"type":"WEB","url":"https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa"},{"type":"PACKAGE","url":"https://github.com/ome/omero-web"}],"affected":[{"package":{"name":"omero-web","ecosystem":"PyPI","purl":"pkg:pypi/omero-web"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.26.0"}]}],"versions":["5.10.0","5.11.0","5.11.0rc1","5.12.0","5.12.1","5.13.0","5.14.0","5.14.0rc1","5.14.1","5.15.0","5.16.0","5.17.0","5.18.0","5.19.0","5.20.0","5.21.0","5.22.0","5.22.1","5.23.0","5.23.1.dev0","5.24.0","5.25.0","5.5.dev1","5.5.dev2","5.6.0","5.6.1","5.6.2","5.6.3","5.6.dev1","5.6.dev2","5.6.dev3","5.6.dev4","5.6.dev5","5.6.dev6","5.6.dev7","5.7.0","5.7.1","5.8.0","5.8.1","5.9.0","5.9.1","5.9.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-vr85-5pwx-c6gq/GHSA-vr85-5pwx-c6gq.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}