ghsa-gpmg-4x4g-mr5r
Vulnerability from github
Published
2025-08-13 18:47
Modified
2025-08-27 14:29
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
OMERO.web displays unecessary user information when requesting password reset
Details

Background

If an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user.

Impact

OMERO.web before 5.29.1

Patches

User should upgrade to 5.29.2 or higher

Workarounds

Disable the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property^1.

Thanks to Christopher Youd who reported the issue.

Open an issue in omero-web Email us at security@openmicroscopy.org

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.29.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "omero-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.29.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-13T18:47:35Z",
    "nvd_published_at": "2025-08-13T14:15:32Z",
    "severity": "MODERATE"
  },
  "details": "### Background\n\nIf an error occurred when resetting a user\u0027s password using the ``Forgot Password`` option in OMERO.web, the error message displayed on the Web page can disclose information about the user.\n\n### Impact\nOMERO.web before 5.29.1\n\n### Patches\nUser should upgrade to 5.29.2 or higher\n\n### Workarounds\nDisable the ``Forgot password`` option in OMERO.web using the ``omero.web.show_forgot_password`` configuration property[^1].\n\nThanks to Christopher Youd who reported the issue.\n\nOpen an issue in [omero-web](https://github.com/ome/omero-web)\nEmail us at [security@openmicroscopy.org](mailto:security@openmicroscopy.org)\n\n[^1]: https://omero.readthedocs.io/en/stable/sysadmins/config.html#omero.web.show_forgot_password",
  "id": "GHSA-gpmg-4x4g-mr5r",
  "modified": "2025-08-27T14:29:25Z",
  "published": "2025-08-13T18:47:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54791"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ome/omero-web"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OMERO.web displays unecessary user information when requesting password reset"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.