Miggo Logo
Miggo Vulnerability Database
CVE-2025-54791

CVE-2025-54791: OMERO.web displays unecessary user information when requesting password reset

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-54791
GHSA ID
GHSA-gpmg-4x4g-mr5r
EPSS Score
-
CWE
CWE-209
Published
8/13/2025
Updated
8/13/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
omero-webpip<= 5.29.15.29.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the handling of error messages during the password reset process in OMERO.web. The provided commit patch clearly shows that the getGuestConnection function in omeroweb/webadmin/views.py was modified to address this issue. Previously, the function would catch a omero.CmdError and then attempt to extract a specific error message from the exception's parameters. This could lead to the disclosure of sensitive user information if the exception contained such details. The fix replaces this logic with a static, generic error message, ensuring that no potentially sensitive information is ever displayed to the user. Therefore, the getGuestConnection function is the identified vulnerable function as it was responsible for generating and displaying the insecure error message.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### ***k*roun* I* *n *rror o**urr** w**n r*s*ttin* * us*r's p*sswor* usin* t** ``*or*ot P*sswor*`` option in OM*RO.w**, t** *rror m*ss*** *ispl*y** on t** W** p*** **n *is*los* in*orm*tion **out t** us*r. ### Imp**t OM*RO.w** v*rsions ***or* *.**.*

Reasoning

T** vuln*r**ility li*s in t** **n*lin* o* *rror m*ss***s *urin* t** p*sswor* r*s*t pro**ss in OM*RO.w**. T** provi*** *ommit p*t** *l**rly s*ows t**t t** `**t*u*st*onn**tion` *un*tion in `om*row**/w****min/vi*ws.py` w*s mo*i*i** to ***r*ss t*is issu*