cbcvebase.
CVE-2019-9757
published 2019-10-29

CVE-2019-9757: An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
37.34%
98.3th percentile
An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.

Affected

1 ranges
VendorProductVersion rangeFixed in
labkeylabkey_server

Detection & IOCsextracted from sources · hover to see the quote

url/labkey/home/visualization-exportPDF.view
path/visualization-exportImage.view
path/visualization-exportPDF.view
cookieX-LABKEY-CSRF
  • Detect XXE exploitation attempts against LabKey Server by monitoring multipart/form-data POST requests to visualization-exportPDF.view or visualization-exportImage.view containing an SVG body with DOCTYPE/ENTITY declarations referencing local files (e.g., /etc/passwd).
  • Successful exploitation is confirmed when the HTTP 200 response body matches the pattern 'root:.*:0:0:' (contents of /etc/passwd), indicating arbitrary local file read via XXE.
  • Use Shodan/FOFA queries 'title:"LabKey"' or 'title="LabKey"' to identify exposed LabKey Server instances for proactive scanning.
  • The attack flow requires authentication: first extract the CSRF token from project-begin.view, then authenticate via login-loginApi.api, then POST the malicious SVG payload. Alert on this three-step sequence from a single source IP.
  • ·Exploitation requires valid credentials (authenticated attack). The CSRF token extracted from project-begin.view must be reused across all subsequent requests, meaning unauthenticated probes to the export endpoints alone will not succeed.
  • ·The multipart boundary value '---------------------------735323031399963166993862150' is specific to the proof-of-concept template; real attackers may use any valid boundary string, so detection rules should not rely solely on this exact boundary.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.