CVE-2021-21377

medium

Description

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.

References

Advisories
More

https://pypi.org/project/omero-web/

https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr

https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c

https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021

https://www.openmicroscopy.org/security/advisories/2021-SV2/

Details

Source: Mitre, NVD

Published: 2021-03-23

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 4.9

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 5.9

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.00314