6 matches found
CVE-2019-3911
LabKey Server Community Edition before 18.3.0-61806.763 contains a reflected XSS via the onerror parameter in the /__r2/query endpoint, allowing an unauthenticated attacker to inject arbitrary JavaScript. Affected version range is prior to 18.3.0-61806.763. Remediation: upgrade to LabKey Server C...
CVE-2019-9757
LabKey Server 19.1.0 is affected by CVE-2019-9757: sending an SVG containing an XML External Entity (XXE) payload to visualization-exportImage.view or visualization-exportPDF.view can read arbitrary local files on the server. Root cause is an XXE flaw in XML parsing exposed by those endpoints. Im...
CVE-2019-3912
CVE-2019-3912 affects LabKey Server Community Edition prior to 18.3.0-61806.763. The Open Redirect vulnerability is triggered via the /__r1/ returnURL parameter, allowing an unauthenticated remote attacker to redirect users to arbitrary external sites. The NUCLEI template and NVD entry confirm th...
CVE-2019-9758
CVE-2019-9758 concerns LabKey Server 19.1.0 where the user display name is vulnerable to stored XSS that can execute in admin context. The issue affects administrators when viewing pages in the admin panel (security/permissions.view, security/addUsers.view, or wiki/Administration/page.view), pote...
CVE-2019-9926
LabKey Server 19.1.0 is affected by a CSRF vulnerability in /reports-viewScriptReport.view that can coerce a logged-in administrator into executing code. The issue is described across multiple sources (NVDRed Hat/CVE record, CNVD, PRION, CVE-lists, EUVD) as a CSRF weakness allowing an authenticat...
CVE-2019-3913
CVE-2019-3913 affects LabKey Server Community Edition prior to 18.3.0-61806.763. It is a logic flaw in the network drive mapping functionality where lack of input sanitization in the mount() path allows an authenticated user to unmount drives, leading to denial of service. Affected component: Lab...