7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.8 Medium
AI Score
Confidence
High
0.023 Low
EPSS
Percentile
89.8%
label_studio is vulnerable to Cross Site Scripting (XSS). The vulnerability due to improper image sanitization during upload, which allows an authenticated user to upload a crafted image file for their avatar which gets rendered as an HTML file. This allows an attacker to execute arbitrary JavaScript and performs malicious actions within Label Studio.
CPE | Name | Operator | Version |
---|---|---|---|
label-studio | le | 1.9.1 | |
label-studio | le | 1.9.1 |
docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3
github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.8 Medium
AI Score
Confidence
High
0.023 Low
EPSS
Percentile
89.8%