CVE-2021-41132 – CVE-2021-41132 is a critical cross-site scripti... (How to Fix)

Q: What is the severity of CVE-2021-41132?

CVE-2021-41132 has a CVSS score of 9.8 (CRITICAL). CVE-2021-41132 is a critical cross-site scripting (XSS) vulnerability in OMERO.web that allows attackers to inject malicious scripts into web pages. This affects all users of OMERO.web versions before 5.11.0, potentially compromising user sessions and data.

📋 TL;DR

CVE-2021-41132 is a critical cross-site scripting (XSS) vulnerability in OMERO.web that allows attackers to inject malicious scripts into web pages. This affects all users of OMERO.web versions before 5.11.0, potentially compromising user sessions and data.

💻 Affected Systems

Products:

OMERO.web

Versions: All versions prior to 5.11.0

Operating Systems: All platforms running OMERO.web

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with web interface enabled are vulnerable.

📦 What is this software?

Omero Figure by Openmicroscopy

View all CVEs affecting Omero Figure →

Omero Web by Openmicroscopy

View all CVEs affecting Omero Web →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, credential harvesting, and lateral movement within the application.

🟠

Likely Case

Session hijacking, data exfiltration, and unauthorized actions performed on behalf of authenticated users.

🟢

If Mitigated

Limited impact due to proper input validation and output encoding controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction with malicious content but is technically simple.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.11.0

Vendor Advisory: https://www.openmicroscopy.org/security/advisories/2021-SV3/

Restart Required: Yes

Instructions:

1. Backup your OMERO installation. 2. Upgrade OMERO.web to version 5.11.0 or later using your package manager or from source. 3. Restart the OMERO.web service.

🔧 Temporary Workarounds

No workarounds available

all

The vendor states there are no known workarounds aside from upgrading.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to limit script execution
Deploy a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check OMERO.web version via web interface or configuration files.

Check Version:

Check omero-web version in package manager or via 'pip show omero-web'

Verify Fix Applied:

Confirm version is 5.11.0 or higher and test input fields for proper HTML escaping.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in request logs
Multiple failed XSS attempts

Network Indicators:

Suspicious script tags in HTTP requests to OMERO endpoints

SIEM Query:

web_requests WHERE url CONTAINS 'omero' AND (body CONTAINS '<script>' OR body CONTAINS 'javascript:')

📊 Metadata

CVE ID: CVE-2021-41132

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-116

Published: October 14, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424 Patch,Third Party Advisory
https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf Third Party Advisory
https://www.openmicroscopy.org/security/advisories/2021-SV3/ Vendor Advisory
https://github.com/ome/omero-web/commit/0168067accde5e635341b3c714b1d53ae92ba424 Patch,Third Party Advisory
https://github.com/ome/omero-web/security/advisories/GHSA-g67g-hvc3-xmvf Third Party Advisory
https://www.openmicroscopy.org/security/advisories/2021-SV3/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41132, you might also want to check these: