6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-35180

GHSA ID

GHSA-vr85-5pwx-c6gq

EPSS Score

0.43996%

CWE

CWE-830

Published

5/21/2024

Updated

5/21/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-35180

CVE-2024-35180:
OMERO.web must check that the JSONP callback is a valid function

Background

There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is /webclient/imgData/.... As we only really use these endpoints with jQuery's own callback name generation ^1 it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins.

Impact

OMERO.web before 5.25.0

Patches

Users should upgrade to 5.26.0 or higher

Workarounds

None

References

https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call
https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names

For more information If you have any questions or comments about this advisory:

Open an issue in omero-web Email us at security@openmicroscopy.org

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-35180

GHSA ID

GHSA-vr85-5pwx-c6gq

EPSS Score

0.43996%

CWE

CWE-830

Published

5/21/2024

Updated

5/21/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
omero-web	pip	< 5.26.0	5.26.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unvalidated use of the 'callback' parameter in JSONP endpoints. The commit diff shows the vulnerability was patched by adding a regex check (VALID_JS_VARIABLE) to the 'wrap' function in views.py. This function previously took the callback parameter from request.GET and constructed a JSONP response without validation, making it the clear injection point. The direct modification of this function in the patch confirms its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### ***k*roun* T**r* is *urr*ntly no *s**pin* or v*li**tion o* t** `**ll***k` p*r*m*t*r t**t **n ** p*ss** to v*rious OM*RO.w** *n*points t**t **v* JSONP *n**l**. On* su** *n*point is `/w***li*nt/im***t*/...`. *s w* only r**lly us* t**s* *n*points w

Reasoning

T** vuln*r**ility st*ms *rom unv*li**t** us* o* t** '**ll***k' p*r*m*t*r in JSONP *n*points. T** *ommit *i** s*ows t** vuln*r**ility w*s p*t**** *y ***in* * r***x ****k (V*LI*_JS_V*RI**L*) to t** 'wr*p' *un*tion in vi*ws.py. T*is *un*tion pr*viously

6.1

Basic Information

Concerned about an active attack path?

CVE-2024-35180: OMERO.web must check that the JSONP callback is a valid function

Background

Impact

Patches

Workarounds

References

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-35180:
OMERO.web must check that the JSONP callback is a valid function

Vulnerability Intelligence
Miggo AI