CVE-2019-9757
published 2019-10-29CVE-2019-9757: An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or…
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
37.34%
98.3th percentile
An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| labkey | labkey_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect XXE exploitation attempts against LabKey Server by monitoring multipart/form-data POST requests to visualization-exportPDF.view or visualization-exportImage.view containing an SVG body with DOCTYPE/ENTITY declarations referencing local files (e.g., /etc/passwd). ↗
- →Successful exploitation is confirmed when the HTTP 200 response body matches the pattern 'root:.*:0:0:' (contents of /etc/passwd), indicating arbitrary local file read via XXE. ↗
- →Use Shodan/FOFA queries 'title:"LabKey"' or 'title="LabKey"' to identify exposed LabKey Server instances for proactive scanning. ↗
- →The attack flow requires authentication: first extract the CSRF token from project-begin.view, then authenticate via login-loginApi.api, then POST the malicious SVG payload. Alert on this three-step sequence from a single source IP. ↗
- ·Exploitation requires valid credentials (authenticated attack). The CSRF token extracted from project-begin.view must be reused across all subsequent requests, meaning unauthenticated probes to the export endpoints alone will not succeed. ↗
- ·The multipart boundary value '---------------------------735323031399963166993862150' is specific to the proof-of-concept template; real attackers may use any valid boundary string, so detection rules should not rely solely on this exact boundary. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
LabKey Server 19.1.0 - XML External Entity (XXE)
nuclei·CVSS 7.5
CVE-2019-9757 [HIGH] LabKey Server 19.1.0 - XML External Entity (XXE)
LabKey Server 19.1.0 - XML External Entity (XXE)
An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.
Template:
id: CVE-2019-9757
info:
name: LabKey Server 19.1.0 - XML External Entity (XXE)
author: ritikchaddha
severity: high
description: |
An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.
impact: |
Attackers can read arbitrary local files on the server, potentially leading to information disclosure.
remediation: |
Update to the latest version of LabKey Server or apply security patches that fi
No writeups or analysis indexed.
https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2019-9757https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rcehttps://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2019-9757https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce
2019-10-29
Published