CVE-2023-47115
published 2024-01-23CVE-2023-47115: Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited…
PriorityP334medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
1.45%
70.0th percentile
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image.
The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed.
Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| humansignal | label-studio | < 1.9.2 | 1.9.2 |
| humansignal | label-studio | >= 0 < 1.9.2 | 1.9.2 |
| humansignal | label-studio | >= 0 < a7a71e594f32ec4af8f3f800d5ccb8662e275da3 | a7a71e594f32ec4af8f3f800d5ccb8662e275da3 |
| humansignal | label_studio | < 1.9.2 | 1.9.2 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site Scripting Vulnerability on Avatar Upload
osv·2024-01-24
CVE-2023-47115 [HIGH] Cross-site Scripting Vulnerability on Avatar Upload
Cross-site Scripting Vulnerability on Avatar Upload
# Introduction
This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to `1.9.2` and was tested on version `1.8.2`.
# Overview
[Label Studio](https://github.com/HumanSignal/label-studio) has a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
# Description
The following [code snippet in Label Studio](https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49) shows that the only verification check is that t
GHSA
Cross-site Scripting Vulnerability on Avatar Upload
ghsa·2024-01-24
CVE-2023-47115 [HIGH] CWE-79 Cross-site Scripting Vulnerability on Avatar Upload
Cross-site Scripting Vulnerability on Avatar Upload
# Introduction
This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to `1.9.2` and was tested on version `1.8.2`.
# Overview
[Label Studio](https://github.com/HumanSignal/label-studio) has a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
# Description
The following [code snippet in Label Studio](https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49) shows that the only verification check is that t
OSV
CVE-2023-47115: Label Studio is an a popular open source data labeling tool
osv·2024-01-23
CVE-2023-47115 CVE-2023-47115: Label Studio is an a popular open source data labeling tool
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image.
The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve`
No detection rules found.
Nuclei
Label Studio - Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2023-47115 [MEDIUM] Label Studio - Cross-Site Scripting
Label Studio - Cross-Site Scripting
Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
Template:
id: CVE-2023-47115
info:
name: Label Studio - Cross-Site Scripting
author: isacaya
severity: high
description: |
Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
impact: |
Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
remediation: |
Update to version 1.9.2.
No writeups or analysis indexed.
https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-developmenthttps://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7xhttps://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-developmenthttps://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x
2024-01-23
Published