Veracode Vulnerability DatabaseVERACODE:45146Cross Site Scripting (XSS)
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.8 Medium
AI Score
Confidence
High
0.023 Low
EPSS
Percentile
89.8%
label_studio is vulnerable to Cross Site Scripting (XSS). The vulnerability due to improper image sanitization during upload, which allows an authenticated user to upload a crafted image file for their avatar which gets rendered as an HTML file. This allows an attacker to execute arbitrary JavaScript and performs malicious actions within Label Studio.
| CPE | Name | Operator | Version |
|---|---|---|---|
| label-studio | le | 1.9.1 | |
| label-studio | le | 1.9.1 |
References
docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3
github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x
Related
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.8 Medium
AI Score
Confidence
High
0.023 Low
EPSS
Percentile
89.8%