CVE-2025-54791

OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad	Patch
https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openmicroscopy:omero-web:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-13 14:15

Updated : 2025-09-23 18:13

NVD link : CVE-2025-54791

Mitre link : CVE-2025-54791

CVE.ORG link : CVE-2025-54791

JSON object : View

Products Affected

openmicroscopy

omero-web

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2025-54791", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-08-13T14:15:32.580", "references": [{"url": "https://github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644ad", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property."}, {"lang": "es", "value": "OMERO.web ofrece una infraestructura de cliente y complementos web. Antes de la versi\u00f3n 5.29.2, si se produc\u00eda un error al restablecer la contrase\u00f1a de un usuario con la opci\u00f3n \"Olvid\u00e9 mi contrase\u00f1a\" en OMERO.web, el mensaje de error que se mostraba en la p\u00e1gina web pod\u00eda revelar informaci\u00f3n sobre el usuario. Este problema se ha corregido en la versi\u00f3n 5.29.2. Una soluci\u00f3n alternativa consiste en deshabilitar la opci\u00f3n \"Olvid\u00e9 mi contrase\u00f1a\" en OMERO.web mediante la propiedad de configuraci\u00f3n omero.web.show_forgot_password."}], "lastModified": "2025-09-23T18:13:48.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openmicroscopy:omero-web:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3E54EAF-F660-48E6-844D-456EBCB03F24", "versionEndExcluding": "5.29.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}