43 matches found
CVE-2019-9926
An issue was discovered in LabKey Server 19.1.0. It is possible to force a logged-in administrator to execute code through a /reports-viewScriptReport.view CSRF vulnerability...
CVE-2019-9758
An issue was discovered in LabKey Server 19.1.0. The display name of a user is vulnerable to stored XSS that can execute on administrators from security/permissions.view, security/addUsers.view, or wiki/Administration/page.view in the admin panel, leading to privilege escalation...
CVE-2019-9758
CVE-2019-9758 concerns LabKey Server 19.1.0 where the user display name is vulnerable to stored XSS that can execute in admin context. The issue affects administrators when viewing pages in the admin panel (security/permissions.view, security/addUsers.view, or wiki/Administration/page.view), pote...
CVE-2019-9757
An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read...
CVE-2019-9757
LabKey Server 19.1.0 is affected by CVE-2019-9757: sending an SVG containing an XML External Entity (XXE) payload to visualization-exportImage.view or visualization-exportPDF.view can read arbitrary local files on the server. Root cause is an XXE flaw in XML parsing exposed by those endpoints. Im...
Vulnerabilities Leading to RCE inLabKey Server Biomedical Research Platform
The post Vulnerabilities Leading to RCE in LabKey Server Biomedical Research Platform appeared first on Rhino Security Labs...
CVE-2019-3911
Reflected cross-site scripting XSS vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 allows an unauthenticated remote attacker to inject arbitrary javascript via the onerror parameter in the /r2/query endpoints...
CVE-2019-3911
Reflected cross-site scripting XSS vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 allows an unauthenticated remote attacker to inject arbitrary javascript via the onerror parameter in the /r2/query endpoints...
CVE-2019-3913
Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service...
CVE-2019-3913
Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service...
Cross site scripting
Reflected cross-site scripting XSS vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 allows an unauthenticated remote attacker to inject arbitrary javascript via the onerror parameter in the /r2/query endpoints...
CVE-2019-3912
An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites...
CVE-2019-3912
An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites...
Open redirect
An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites...
Command injection
Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service...
CVE-2019-3911
Reflected cross-site scripting XSS vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 allows an unauthenticated remote attacker to inject arbitrary javascript via the onerror parameter in the /r2/query endpoints...
CVE-2019-3913
Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service...
CVE-2019-3912
CVE-2019-3912 affects LabKey Server Community Edition prior to 18.3.0-61806.763. The Open Redirect vulnerability is triggered via the /__r1/ returnURL parameter, allowing an unauthenticated remote attacker to redirect users to arbitrary external sites. The NUCLEI template and NVD entry confirm th...
CVE-2019-3913
CVE-2019-3913 affects LabKey Server Community Edition prior to 18.3.0-61806.763. It is a logic flaw in the network drive mapping functionality where lack of input sanitization in the mount() path allows an authenticated user to unmount drives, leading to denial of service. Affected component: Lab...
CVE-2019-3911
LabKey Server Community Edition before 18.3.0-61806.763 contains a reflected XSS via the onerror parameter in the /__r2/query endpoint, allowing an unauthenticated attacker to inject arbitrary JavaScript. Affected version range is prior to 18.3.0-61806.763. Remediation: upgrade to LabKey Server C...