Best Top Reviews Online

LabKey Vulnerabilities Endanger Medical Research Information

LabKey Server version 18.3.0-61806.763, which was released on January 16, resolves all three vulnerabilities, so users should update immediately.

Multiple cross-site scripting (XSS) attacks are possible due to the presence of three vulnerabilities in a popular open-source medical data collaboration tool, exposing sensitive healthcare research data and potentially subject information. When a user clicks on a malicious link, an attacker can retrieve the user’s credentials due to the severity of the vulnerabilities.

LabKey Server Community Edition 18.2-60106.64, according to Tenable Research, contains vulnerabilities that allow an unauthenticated remote attacker to execute arbitrary code through their browser, create open redirects to push users to malicious URLs, and map malicious network drives after gaining administrative access.

“Using the victim’s credentials, the attacker could perform any action that their target could perform on the LabKey system,” Jacob Baines, senior research engineer at Tenable, told Threatpost. Depending on the targeted user’s access, this may involve accessing or manipulating research data.

LabKey Server is a suite of software that allows researchers to integrate, analyze, and share biomedical research data. The platform serves as a data repository that enables querying, reporting, and collaboration across multiple data sources via the web. LabKey solutions are utilized by public health organizations, medical research centers, and universities around the world, according to the company’s website.

Baines stated, “According to a Shodan search, there are internet-facing LabKey servers, which increases the attack surface.” The server’s Set-Cookie header contains the X-LAB-CSRF identifier.”

Vulnerability Particulars

The first vulnerability, CVE-2019-3911, is an XSS flaw caused by improperly validated or sanitized query functions.

“Because this parameter is reflected in the output to the user and interpreted by the browser, a cross-site scripting attack is possible,” the company explained in a Thursday advisory. This allows an attacker to execute arbitrary code within the user’s browser context. Authenticated or unauthenticated XSS attacks are possible due to the availability of extra ‘__r#’ paths in the default installation.”

A second flaw, CVE-2019-3912, permit open redirects because the returnUrl function is also not sanitized in a way that permits certain return paths to be edited. These can be utilized by an attacker to redirect users to a location under their control.

CVE-2019-3913 is a flaw in the network drive mapping functionality of the LabKey Server. An attacker would need administrative access to LabKey Server’s web interface to exploit the vulnerability.

According to the advisory, “when mapping a network drive from the command line, a lack of sanitation in the mount() function would permit an attacker to mount their own malicious drives to the server.”

Baines stated that CVE-2019-3911 and CVE-2019-3912 are the two vulnerabilities that would typically be exploited in an attack. A malicious actor could exploit both CVE-2019-3911 and CVE-2019-3912 by sending an unsuspecting user a malicious link.

“An example attack scenario for CVE-2019-3912 would involve a malicious actor creating a phony login page,” he explained. “The attacker would then send a malicious link to a LabKey login page to an unsuspecting user. When a user logs in to the legitimate LabKey server, they would be redirected to the attacker’s fabricated page. Confused, the user re-enters their credentials and is now compromised.”

In the meantime, an example attack for CVE-2019-3911 would involve an attacker creating a malicious link containing extra Javascript that the attacker has inserted and that the victim’s browser will execute.

“If a logged-in LabKey user clicks the attacker’s link, the Javascript can send the user’s cookies to the attacker, granting the attacker access to the user’s sessionID,” Baines explained.

LabKey Server version 18.3.0-61806.763, which was released on January 16, resolves all three vulnerabilities, so users should update immediately.

Why Trust Us?

Best Top Reviews Online was founded in 2018 to provide our readers with thorough, unbiased, and independent advice on what to buy. We now have millions of monthly users from all over the world and evaluate over 1,000 products per year.

The article above was written by the BestTopReviewsOnline team, which includes many of the US’s most knowledgeable technical experts. Our team includes well-known writers with extensive experience in mobile phones, computing, technology, photography, and other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Apple Introduces A New Security Research Website

October 28, 2022

Apple Security Research is a new website dedicated to improving the methods available to security researchers for reporting issues to Apple. The website provides tools for sending Apple security reports, receiving real-time status updates, and contacting Apple engineers. In addition…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of