CVE Identification and Details

• Vendor: Labvantage
• Product: Labvantage LIMS
• Affected Endpoint: /labvantage/rc?command=file&file=WEB-CORE/elements/files/filesembedded.jsp&size=32&height=18&width=18
• Vulnerable Parameters: height, width
• Vulnerability Type: Reflected Cross-Site Scripting (XSS)

Reproduction of the Attack

The following steps were used to identify and confirm the reflected XSS vulnerability in the height and width parameters of the GET request to the affected endpoint. The testing was conducted using Burp Suite.

Step 1: Crafting the URL with XSS Payloads

1. Description: A request was crafted by adding the height and width parameters to the URL with the XSS payloads:
   • For height: height=18';alert("height");'
   • For width: width=18';alert("width");'

Figure 1: The request made by adding XSS payloads to the height and width parameters.

Step 2: XSS in width Parameter

1. Description: The URL with the XSS payload in the width parameter was accessed.
2. Observation: The XSS payload was reflected in the DOM, and the JavaScript alert width was triggered.

Figure 2: The alert appears when the XSS payload is injected into the width parameter.

Step 3: XSS in height Parameter

1. Description: The URL with the XSS payload in the height parameter was accessed.