PT-2019-16767 · Labkey · Labkey Server Community Edition
Published
2019-01-30
·
Updated
2022-12-03
·
CVE-2019-3912
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
LabKey Server Community Edition versions prior to 18.3.0-61806.763
Description
The issue is related to an open redirect vulnerability. It affects the
/ r1/ API endpoint, specifically the returnURL parameter, allowing an unauthenticated remote attacker to redirect users to arbitrary web sites.Recommendations
For versions prior to 18.3.0-61806.763, update to version 18.3.0-61806.763 or later to resolve the issue. As a temporary workaround, consider restricting access to the
/ r1/ endpoint or avoiding the use of the returnURL parameter until the update is applied.Exploit
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Labkey Server Community Edition