LabKey Server version 18.3.0-61806.763, released on January 16, patches all three issues, so users should update as soon as possible.
A trio of vulnerabilities in a popular open source medical data collaboration tool leaves important healthcare research data and potentially subject information open to multiple cross site scripting (XSS) attacks. The flaws are serious as they allow an attacker to retrieve user credentials once a user clicks a malicious link.
Tenable Research on Thursday said that the flaws, which exist in LabKey Server Community Edition 18.2-60106.64, allow a remote unauthenticated attacker to run arbitrary code through their browser, create open redirects to push users to malicious URLs, and map malicious network drives after gaining administrative access.
Read more…
Source: ThreatPost