Reflected cross-site scripting (XSS) vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 allows an unauthenticated remote attacker to inject arbitrary javascript via the onerror parameter in the /__r2/query endpoints.
6.1CVSS
6AI Score
0.002EPSS
An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites.
6.1CVSS
6.3AI Score
0.002EPSS
Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service.
4.9CVSS
5.1AI Score
0.005EPSS
An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.
7.5CVSS
7.3AI Score
0.005EPSS
An issue was discovered in LabKey Server 19.1.0. The display name of a user is vulnerable to stored XSS that can execute on administrators from security/permissions.view, security/addUsers.view, or wiki/Administration/page.view in the admin panel, leading to privilege escalation.
5.4CVSS
5.3AI Score
0.001EPSS
An issue was discovered in LabKey Server 19.1.0. It is possible to force a logged-in administrator to execute code through a /reports-viewScriptReport.view CSRF vulnerability.
8.8CVSS
8.7AI Score
0.005EPSS