47 matches found
Cross site request forgery (csrf)
An issue was discovered in LabKey Server 19.1.0. It is possible to force a logged-in administrator to execute code through a /reports-viewScriptReport.view CSRF vulnerability...
Design/Logic Flaw
An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read...
CVE-2019-9926
An issue was discovered in LabKey Server 19.1.0. It is possible to force a logged-in administrator to execute code through a /reports-viewScriptReport.view CSRF vulnerability...
CVE-2019-9926
LabKey Server 19.1.0 is affected by a CSRF vulnerability in /reports-viewScriptReport.view that can coerce a logged-in administrator into executing code. The issue is described across multiple sources (NVDRed Hat/CVE record, CNVD, PRION, CVE-lists, EUVD) as a CSRF weakness allowing an authenticat...
CVE-2019-9758
An issue was discovered in LabKey Server 19.1.0. The display name of a user is vulnerable to stored XSS that can execute on administrators from security/permissions.view, security/addUsers.view, or wiki/Administration/page.view in the admin panel, leading to privilege escalation...
CVE-2019-9758
CVE-2019-9758 concerns LabKey Server 19.1.0 where the user display name is vulnerable to stored XSS that can execute in admin context. The issue affects administrators when viewing pages in the admin panel (security/permissions.view, security/addUsers.view, or wiki/Administration/page.view), pote...
CVE-2019-9757
An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read...
CVE-2019-9757
LabKey Server 19.1.0 is affected by CVE-2019-9757: sending an SVG containing an XML External Entity (XXE) payload to visualization-exportImage.view or visualization-exportPDF.view can read arbitrary local files on the server. Root cause is an XXE flaw in XML parsing exposed by those endpoints. Im...
Vulnerabilities Leading to RCE inLabKey Server Biomedical Research Platform
The post Vulnerabilities Leading to RCE in LabKey Server Biomedical Research Platform appeared first on Rhino Security Labs...
Cross site scripting
Reflected cross-site scripting XSS vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 allows an unauthenticated remote attacker to inject arbitrary javascript via the onerror parameter in the /r2/query endpoints...
Command injection
Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service...
CVE-2019-3913
Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service...
CVE-2019-3911
Reflected cross-site scripting XSS vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 allows an unauthenticated remote attacker to inject arbitrary javascript via the onerror parameter in the /r2/query endpoints...
CVE-2019-3912
An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites...
CVE-2019-3911
Reflected cross-site scripting XSS vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 allows an unauthenticated remote attacker to inject arbitrary javascript via the onerror parameter in the /r2/query endpoints...
CVE-2019-3913
Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service...
CVE-2019-3912
An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites...
Open redirect
An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites...
CVE-2019-3913
Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service...
CVE-2019-3911
LabKey Server Community Edition before 18.3.0-61806.763 contains a reflected XSS via the onerror parameter in the /__r2/query endpoint, allowing an unauthenticated attacker to inject arbitrary JavaScript. Affected version range is prior to 18.3.0-61806.763. Remediation: upgrade to LabKey Server C...