{"id":"PYSEC-2021-372","details":"OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading.","aliases":["CVE-2021-41132","GHSA-g67g-hvc3-xmvf","PYSEC-2021-379"],"modified":"2023-11-08T04:06:52.354646Z","published":"2021-10-14T16:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"},{"type":"ADVISORY","url":"https://www.openmicroscopy.org/security/advisories/2021-SV3/"},{"type":"FIX","url":"https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"}],"affected":[{"package":{"name":"omero-web","ecosystem":"PyPI","purl":"pkg:pypi/omero-web"},"ranges":[{"type":"GIT","repo":"https://github.com/ome/omero-web","events":[{"introduced":"0"},{"fixed":"0168067accde5e635341b3c714b1d53ae92ba424"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.11.0"}]}],"versions":["5.10.0","5.11.0rc1","5.5.dev1","5.5.dev2","5.6.0","5.6.1","5.6.2","5.6.3","5.6.dev1","5.6.dev2","5.6.dev3","5.6.dev4","5.6.dev5","5.6.dev6","5.6.dev7","5.7.0","5.7.1","5.8.0","5.8.1","5.9.0","5.9.1","5.9.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/omero-web/PYSEC-2021-372.yaml"}}],"schema_version":"1.7.3"}