CVE-2019-3911: Reflected XSS
Numerous XSS flaws exists in LabKey Server Community Edition prior to 18.3.0. For all query-* functions in the query viewers with the exception of query-selectAllRows, the “query.sort” parameter in particular does not appear to be validated or sanitized in any way. Since this parameter is reflected in the output to the user and interpreted by the browser, a cross site scripting attack becomes possible. This allows an attacker to run arbitrary code within the context of the user’s browser.