2020-08 Security update
SummaryLabforward released a security update for our website domains. This update contains security enhancements that help prevent potential cross-origin resource sharing (CORS) vulnerabilities. CORS is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. These cross-origin requests have an Origin header, that identifies the domain initiating the request. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.
Note: this security update does not impact our software products (Labfolder, Laboperator), neither Cloud nor On-Premise versions, as our product already handled such vulnerability types correctly.
Acknowledgement: we would like to sincerely thank Bilal Abdul Muqeet for reporting this issue. Your support in making our websites more secure is highly appreciated!
Severity = What is the worst theoretical outcome?
|Rating||Description||Moderate||Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. In this case, the impact of CORS vulnerabilities was significantly reduced by the fact that our websites are not used for logging in users (which is the main attack avenue for a CORS exploit), and that most of the resources that could be captured using a CORS exploit are publicly available resources anyway. There are a few edge cases where the severity is a bit higher, which is why this issue has been rated as Moderate.|
Exploitability = What is the likelihood that a vulnerability addressed in a security update will be exploited?
|Rating||Description||Exploitation More Likely||Labforward analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Labforward is aware of past instances of this type of vulnerability being exploited (outside of our organization). This would make it an attractive target for attackers, and therefore more likely that exploits could be created.|
- No action required from our customers and users.