cbcvebase.
CVE-2022-36551
published 2022-10-03

CVE-2022-36551: A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated…

PriorityP348medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
5.09%
91.3th percentile
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF.

Affected

3 ranges
VendorProductVersion rangeFixed in
heartexlabel_studio<= 1.5.0
humansignallabel-studio>= 0 < 1.6.01.6.0
humansignallabel-studio>= 0 < 1.5.0.post01.5.0.post0
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.