CVE-2024-35180

OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.

OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.

### Background There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is `/webclient/imgData/...`. As we only really use these endpoints with jQuery's own callback name generation [^1] it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins. [^1]: https://learn.jquery.com/ajax/working-with-jsonp/ ### Impact OMERO.web before 5.25.0 ### Patches Users should upgrade to 5.26.0 or higher ### Workarounds None ### References * https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call * https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names For more information If you have any questions or comments about this advisory: Open an issue in [omero-web](https://github.com/ome/omero-web) Email us at [security@openmicroscopy.org](mailto:security@openmicroscopy.org)

### Background There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is `/webclient/imgData/...`. As we only really use these endpoints with jQuery's own callback name generation [^1] it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins. [^1]: https://learn.jquery.com/ajax/working-with-jsonp/ ### Impact OMERO.web before 5.25.0 ### Patches Users should upgrade to 5.26.0 or higher ### Workarounds None ### References * https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call * https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names For more information If you have any questions or comments about this advisory: Open an issue in [omero-web](https://github.com/ome/omero-web) Email us at [security@openmicroscopy.org](mailto:security@openmicroscopy.org)

OMERO.web proporciona una infraestructura de complementos y cliente basada en web. Actualmente no existe ningún escape ni validación del parámetro `callback` que se pueda pasar a varios endpoints de OMERO.web que tengan JSONP habilitado. Esta vulnerabilidad ha sido parcheada en la versión 5.26.0.