GHSA-GPMG-4X4G-MR5R

Vulnerability from github – Published: 2025-08-13 18:47 – Updated: 2025-08-27 14:29
VLAI?
Summary
OMERO.web displays unecessary user information when requesting password reset
Details

Background

If an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user.

Impact

OMERO.web before 5.29.1

Patches

User should upgrade to 5.29.2 or higher

Workarounds

Disable the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property^1.

Thanks to Christopher Youd who reported the issue.

Open an issue in omero-web Email us at security@openmicroscopy.org

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.29.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "omero-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.29.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-13T18:47:35Z",
    "nvd_published_at": "2025-08-13T14:15:32Z",
    "severity": "MODERATE"
  },
  "details": "### Background\n\nIf an error occurred when resetting a user\u0027s password using the ``Forgot Password`` option in OMERO.web, the error message displayed on the Web page can disclose information about the user.\n\n### Impact\nOMERO.web before 5.29.1\n\n### Patches\nUser should upgrade to 5.29.2 or higher\n\n### Workarounds\nDisable the ``Forgot password`` option in OMERO.web using the ``omero.web.show_forgot_password`` configuration property[^1].\n\nThanks to Christopher Youd who reported the issue.\n\nOpen an issue in [omero-web](https://github.com/ome/omero-web)\nEmail us at [security@openmicroscopy.org](mailto:security@openmicroscopy.org)\n\n[^1]: https://omero.readthedocs.io/en/stable/sysadmins/config.html#omero.web.show_forgot_password",
  "id": "GHSA-gpmg-4x4g-mr5r",
  "modified": "2025-08-27T14:29:25Z",
  "published": "2025-08-13T18:47:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54791"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ome/omero-web"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OMERO.web displays unecessary user information when requesting password reset"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.