Description: This allows Cross-Site Scripting to execute against an admin of LabKey Server which can lead to RCE.
Versions Affected: LabKey Server 19.1.0
Researcher: David Yesland (https://twitter.com/daveysec)
Disclosure Link: https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-9758
The username is not sanitized in some portions of the application within the admin portal. This allows XSS payloads to be executed on an admin of the application which can also lead to XSS by abusing intended functionality of the application.
Set the username of a user to <svg onload=alert(document.cookie)> then attempt to clone the permissions of that user as an admin.
