{"id":"PYSEC-2021-379","details":"OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading.","aliases":["CVE-2021-41132","GHSA-g67g-hvc3-xmvf","PYSEC-2021-372"],"modified":"2023-11-08T04:06:52.354646Z","published":"2021-10-14T16:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf"},{"type":"ADVISORY","url":"https://www.openmicroscopy.org/security/advisories/2021-SV3/"},{"type":"FIX","url":"https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424"}],"affected":[{"package":{"name":"omero-figure","ecosystem":"PyPI","purl":"pkg:pypi/omero-figure"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.4.1"}]}],"versions":["2.0.0","2.0.1","3.0.0","3.1.0","3.1.1","3.1.2","3.2.0","3.2.1","4.0.0","4.0.1","4.0.2","4.1.0","4.2.0","4.2.dev1","4.3.0","4.3.1","4.3.2","4.4.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/omero-figure/PYSEC-2021-379.yaml"}}],"schema_version":"1.7.3"}