9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41132

GHSA ID

GHSA-g67g-hvc3-xmvf

EPSS Score

0.75018%

CWE

CWE-79

Published

10/14/2021

Updated

10/8/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41132

CVE-2021-41132: Inconsistent input sanitisation leads to XSS vectors

Background

A variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of jQuery.html(), there are a whole host of XSS possibilities with specially crafted input to a variety of fields.

Impact

OMERO.web before 5.11.0 and OMERO.figure before 4.4.1.

Patches

Users should upgrade OMERO.web to 5.11.0 or higher and OMERO.figure to 4.4.1 or higher.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41132

GHSA ID

GHSA-g67g-hvc3-xmvf

EPSS Score

0.75018%

CWE

CWE-79

Published

10/14/2021

Updated

10/8/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
omero-web	pip	< 5.11.0	5.11.0
omero-figure	pip	< 4.4.1	4.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two primary patterns: 1) Use of jQuery.html() with unsanitized user input in JavaScript files, and 2) Underscore template interpolation using <%= instead of <%- for HTML context. The commit diff shows systematic replacement of unsafe practices: adding .escapeHTML() to JavaScript string injections and switching template interpolators. Vulnerable functions are those that handled user-controlled data (labels, names, textValues) without these sanitization measures in prior versions. High confidence comes from direct correlation between patched locations and XSS vulnerability patterns described in advisories.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### ***k*roun* * v*ri*ty o* t*mpl*t*s *o not p*r*orm prop*r s*nitiz*tion t*rou** *TML *s**pin*. *u* to t** l**k o* s*nitiz*tion *n* us* o* ``jQu*ry.*tml()``, t**r* *r* * w*ol* *ost o* XSS possi*iliti*s wit* sp**i*lly *r**t** input to * v*ri*ty o* *i

Reasoning

T** vuln*r**ility st*ms *rom two prim*ry p*tt*rns: *) Us* o* `jQu*ry.*tml()` wit* uns*nitiz** us*r input in J*v*S*ript *il*s, *n* *) Un**rs*or* t*mpl*t* int*rpol*tion usin* <%= inst*** o* <%- *or *TML *ont*xt. T** *ommit *i** s*ows syst*m*ti* r*pl***

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-41132: Inconsistent input sanitisation leads to XSS vectors

Background

Impact

Patches

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI