Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:45146
HistoryJan 24, 2024 - 7:04 a.m.

Cross Site Scripting (XSS)

2024-01-2407:04:13
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
2
cross site scripting
vulnerability
image sanitization
user upload
authenticated user
crafted image
avatar
html file
attacker
arbitrary javascript
malicious actions
security

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.8 Medium

AI Score

Confidence

High

0.023 Low

EPSS

Percentile

89.8%

label_studio is vulnerable to Cross Site Scripting (XSS). The vulnerability due to improper image sanitization during upload, which allows an authenticated user to upload a crafted image file for their avatar which gets rendered as an HTML file. This allows an attacker to execute arbitrary JavaScript and performs malicious actions within Label Studio.

CPENameOperatorVersion
label-studiole1.9.1
label-studiole1.9.1

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.8 Medium

AI Score

Confidence

High

0.023 Low

EPSS

Percentile

89.8%