• It was found that three vulnerabilities in LabKey Server could compromise medical research data.
  • These flaws mainly related to cross-site scripting (XSS) allowing attackers to perform XSS attacks.

LabKey Server, a popular offering by LabKey which allows scientists to collaborate with medical research data, was recently found to have security vulnerabilities.

The software suite contained cross-site scripting flaws that allowed attackers to inject malicious code, following which it creates redirects to fake URLs as well as admin access.

Security firm Tenable Research, which conducted an in-depth analysis on LabKey Server, provided a comprehensive review of these vulnerabilities. According to a blog post by the company, LabKey Server has three flaws which are described are as follows.

  1. CVE-2019-3911 - Cross-Site Scripting: Query functions which are not validated makes it possible to conduct XSS attacks by allowing arbitrary code execution in the user’s browser.
  2. CVE-2019-3912 - Open Redirects: The returnUrl function can also allow return paths to be edited. As a result, attackers can redirect users to their own locations.
  3. CVE-2019-3913 - Logic Flaw in Network Drive Mapping Functionality: A logic flaw when mapping network drives allows attackers to map their own drives to the server. This also aligns to the fact that attackers have admin access.

Fortunately, the latest version of LabKey Server i.e., 18.3.0-61806.763, comes with fixes for all these vulnerabilities.

Research data can be manipulated

Jacob Baines, a senior research engineer from Tenable told ThreatPost how the vulnerabilities can lead to abuse of research information. “The attacker could perform any action that their target could perform on the LabKey system since they would be using the victim’s credentials. This could potentially mean accessing or manipulating research data, depending on the targeted user’s access.” indicated Baines.

It is recommended for all users to update to the latest version of LabKey server to stay protected from vulnerabilities.

Cyware Publisher