LabKey Server, a popular offering by LabKey which allows scientists to collaborate with medical research data, was recently found to have security vulnerabilities.
The software suite contained cross-site scripting flaws that allowed attackers to inject malicious code, following which it creates redirects to fake URLs as well as admin access.
Security firm Tenable Research, which conducted an in-depth analysis on LabKey Server, provided a comprehensive review of these vulnerabilities. According to a blog post by the company, LabKey Server has three flaws which are described are as follows.
Fortunately, the latest version of LabKey Server i.e., 18.3.0-61806.763, comes with fixes for all these vulnerabilities.
Research data can be manipulated
Jacob Baines, a senior research engineer from Tenable told ThreatPost how the vulnerabilities can lead to abuse of research information. “The attacker could perform any action that their target could perform on the LabKey system since they would be using the victim’s credentials. This could potentially mean accessing or manipulating research data, depending on the targeted user’s access.” indicated Baines.
It is recommended for all users to update to the latest version of LabKey server to stay protected from vulnerabilities.