CVE Identification and Details

• Vendor: Labvantage
• Product: Labvantage LIMS
• Affected Endpoint: POST /labvantage/rc?command=file&file=WEB-CORE/elements/files/filesembedded.jsp
• Vulnerable Parameters: sdcid, keyid1, keyid2, keyid3
• Vulnerability Type: Reflected Cross-Site Scripting (XSS)

Reproduction of the Attack

The following steps were used to identify and confirm the reflected XSS vulnerability in the sdcid, keyid1, keyid2, and keyid3 parameters of the POST request to the affected endpoint. The testing was conducted using Burp Suite.

Step 1: Crafting the POST Request with XSS Payloads

1. Description: A POST request was crafted by adding the XSS payloads to the body parameters:
   • For sdcid: sdcid=SDINote';alert("pwnandpatch-1");'
   • For keyid1: keyid1=X';alert("pwnandpatch-2");'
   • For keyid2: keyid2=';alert("pwnandpatch-3");'
   • For keyid3: keyid3=';alert("pwnandpatch-4");'

Figure 1: The request made by adding XSS payloads to the sdcid, keyid1, keyid2, and keyid3 parameters.

Step 2: XSS in sdcid Parameter

1. Description: The POST request with the XSS payload in the sdcid parameter was sent.
2. Observation: The XSS payload was reflected in the DOM, and the JavaScript alert pwnandpatch-1 was triggered.

Figure 2: The alert appears when the XSS payload is injected into the sdcid parameter.

Step 3: XSS in keyid1 Parameter

1. Description: The POST request with the XSS payload in the keyid1 parameter was sent.
2. Observation: The XSS payload was reflected in the DOM, and the JavaScript alert pwnandpatch-2 was triggered.