LabVantage before LV 8.8.0.13 HF6 allows local file inclusion. Authenticated users can retrieve arbitrary files from the environment via the objectname request parameter.
The LabVantage application does not properly validate the value of the objectname parameter passed in the HTTP request, which is a classic case of CWE-73 (External Control of File Name or Path). An authenticated user can provide in this parameter a path to any file accessible in the server environment. The path traversal mechanism or direct path specification allows reading files outside the intended scope of the application, including potentially configuration files, authentication data, or other sensitive system resources.
An attacker with a valid account in the system can read arbitrary files from the server, leading to disclosure of sensitive data (e.g., passwords, configuration keys, laboratory data). Obtained information can be used for further environment compromise, privilege escalation, or lateral movement.
LabVantage should be updated to version LV 8.8.0.13 HF6 or later. Until the patch is deployed, it is recommended to restrict application access only to trusted, authenticated users and to monitor logs for unusual values of the objectname parameter. Detailed information is available from the vendor at https://www.labvantage.com.
LabVantage LIMS in all versions preceding LV 8.8.0.13 HF6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H