GHSA-Q68H-XWQ5-MM7X Cross-site Scripting Vulnerability on Avatar Upload

Introduction This write-up describes a vulnerability found in Label Studio, a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.9.2 and was tested on version 1.8.2. Overview Label Studio has a cross-site scripting XSS vulnerability that coul...

Cross-site Scripting Vulnerability on Avatar Upload

Introduction This write-up describes a vulnerability found in Label Studio, a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.9.2 and was tested on version 1.8.2. Overview Label Studio has a cross-site scripting XSS vulnerability that coul...

Cross site scripting

Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary...

CVE-2023-47115

CVE-2023-47115 : Label Studio before version 1.9.2 contains an XSS vulnerability via avatar upload. The vulnerability stems from the avatar handling in label_studio/users/functions.py, which only validates that the uploaded file is an image by checking dimensions; it does not securely validate th...

CVE-2023-47115 Label Studio XSS Vulnerability on Avatar Upload

Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary...

PT-2024-13407 · Django +1 · Django +1

Name of the Vulnerable Software and Affected Versions: Label Studio versions prior to 1.9.2 Description: The issue is a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the...

SUSE CVE-2015-0221

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service memory consumption via a long line in a file...

GHSA-H4HV-M4H4-MHWG Django open redirect

A maliciously crafted URL to a Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 site using the django.views.static.serve view could redirect to any other domain, aka an open redirect vulnerability...

[SECURITY] [DLA 885-1] python-django security update

Package : python-django Version : 1.4.22-1+deb7u3 CVE ID : CVE-2017-7233, CVE-2017-7234 Debian Bug : 859515, 859516 It was discovered that there were two vulnerabilities in python-django, a high-level Python web development framework. CVE-2017-7233 859515: Open redirect and possible XSS attack vi...

PT-2017-17596 · Django Software Foundation +2 · Django +2

Name of the Vulnerable Software and Affected Versions: Django versions 1.8 through 1.8.18 Django versions 1.9 through 1.9.13 Django versions 1.10 through 1.10.7 Description: A maliciously crafted URL to a Django site using the django.views.static.serve view could redirect to any other domain. Thi...