CVE-2019-9758: LabKey Server Stored XSS
Information
Description: This allows Cross-Site Scripting to execute against an admin of LabKey Server which can lead to RCE.
Versions Affected: LabKey Server 19.1.0
Researcher: David Yesland (https://twitter.com/daveysec)
Disclosure Link: https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-9758
Proof-of-Concept Exploit
Description
The username is not sanitized in some portions of the application within the admin portal. This allows XSS payloads to be executed on an admin of the application which can also lead to XSS by abusing intended functionality of the application.
Usage/Exploitation
Set the username of a user to <svg onload=alert(document.cookie)> then attempt to clone the permissions of that user as an admin.
