Personal tools
  • We're Hiring!

You are here: Home Products OMERO Security Vulnerabilities 2014-SV3 CSRF

2014-SV3 CSRF

Web-related security vulnerability affecting OMERO5 versions up to and including 5.0.5.


Forms in OMERO.web are susceptible to CSRF attacks.


CSRF (cross-site request forgery) is also known as a one-click attack or session riding. It's a type of malicious exploit where unauthorized commands are transmitted from a user that the website trusts.

Affected packages

OMERO.web versions prior to 5.0.6.


If a user can be convinced or tricked into opening an untrusted webpage from a browser where they've previously logged into OMERO, the OMERO.web session can be reused to access OMERO as that user.

Due to the complexity of such an exploit, we do not consider this a critical security vulnerability.


Users should actively logout when finished working with OMERO.web and take care when accessing non-trusted websites.


All OMERO.server users should upgrade to at least 5.0.6:


Leif Nixon for notifying the OME team of this security issue via our secure mailing list [1] and filing a CVE [2].

[1] Details on the main security vulnerabilities page


Document Actions