Vendor: National Center for Biotechnology Information (NCBI)
Product: NCBI ToolBox
Affected versions: 2.0.7 through 2.2.26
The Information Engineering Branch (IEB) of the National Center for Biotechnology Information (NCBI) developed the NCBI ToolBox which includes programming libraries, originally written in a portable dialect of C. It has since been replaced with a newer version written in C++. The vulnerabilities discussed in this report have been found within the earlier C-based programming libraries, and are exposed by the legacy web interface to BLAST, one of the most widely used bioinformatics research tools. We discovered researchers within the University of Cambridge still using the legacy interface, and it's likely that researchers in other institutions are doing the same (popular bioinformatics tools often enjoy a much longer service life than other types of software).
A XSS vulnerability exists in wwwblast.c in the legacy versions of the NCBI ToolBox via a crafted "-z1" argument.
The software has recently been removed from NCBI's download site, but there may be many live instances still in the wild. We would obviously discourage use of the deprecated web application, particularly on exposed public interfaces.
See also CVE-2018-16717, CVE-2018-16716.