CVE-2025-54791
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-09-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openmicroscopy | omero-web | to 5.29.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in OMERO.web versions prior to 5.29.2. When a user attempts to reset their password using the Forgot Password option, if an error happens during the process, the error message displayed on the web page can reveal information about the user. This unintended information disclosure could potentially be exploited. The issue was fixed in version 5.29.2, and a workaround is to disable the Forgot Password option via configuration.
How can this vulnerability impact me? :
The vulnerability can lead to information disclosure about users when errors occur during password reset attempts. This could allow attackers to gain insights about user accounts, potentially aiding in further attacks such as targeted phishing or account enumeration. However, it does not impact system integrity or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should disable the Forgot Password option in OMERO.web by setting the configuration property omero.web.show_forgot_password to false. Additionally, upgrade OMERO.web to version 5.29.2 or later where this issue has been patched.