CVE-2021-41132: Inconsistent input sanitisation leads to XSS vectors
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.75018%
CWE
Published
10/14/2021
Updated
10/8/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
omero-web | pip | < 5.11.0 | 5.11.0 |
omero-figure | pip | < 4.4.1 | 4.4.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two primary patterns: 1) Use of jQuery.html()
with unsanitized user input in JavaScript files, and 2) Underscore template interpolation using <%= instead of <%- for HTML context. The commit diff shows systematic replacement of unsafe practices: adding .escapeHTML()
to JavaScript string injections and switching template interpolators. Vulnerable functions are those that handled user-controlled data (labels, names, textValues
) without these sanitization measures in prior versions. High confidence comes from direct correlation between patched locations and XSS vulnerability patterns described in advisories.