Primary

Context

OMERO.web Password Reset Information Disclosure Vulnerability

Vulnerability

Patched

A vulnerability in OMERO.web versions prior to 5.29.2 allows for the unintentional disclosure of user information. When an error occurs during the password reset process via the 'Forgot Password' feature, the resulting error message can reveal sensitive details about the user. This issue has been addressed in version 5.29.2. Users can also disable the 'Forgot Password' option by using the 'omero.web.show_forgot_password' configuration property.

Impact

The vulnerability could lead to unauthorized information disclosure, allowing attackers to gain insights about user accounts.

Remediation

Users are advised to upgrade to OMERO.web version 5.29.2 or later. If an immediate upgrade is not possible, the 'Forgot Password' feature can be disabled using the 'omero.web.show_forgot_password' configuration property.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

8.1

remediation

8.3

relevance

0.4

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

8.1

remediation

8.3

relevance

0.4

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OMERO.web Password Reset Information Disclosure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

OMERO.web

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating