fix-formatting

http/cves/2023/CVE-2023-47115.yaml

@@ -1,10 +1,11 @@
 id: CVE-2023-47115
 
 info:
-  name: Stored Cross-Site Scripting Vulnerability in Label Studio
+  name: Label Studio - Stored Cross-Site Scripting
   author: isacaya
   severity: high
-  description: Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
+  description: |
+    Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
   impact: |
     Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
   remediation: |
@@ -12,12 +13,19 @@ info:
   reference:
     - https://nvd.nist.gov/vuln/detail/CVE-2023-47115
     - https://github.com/advisories/GHSA-q68h-xwq5-mm7x
+    - https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
+    - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
+    - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
     cvss-score: 7.1
     cve-id: CVE-2023-47115
     cwe-id: CWE-79
-  tags: cve,cve2023,xss,authenticated
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: http.favicon.hash:-1649949475
+  tags: cve,cve2023,xss,authenticated,intrusive,label-studio
 
 http:
   - raw:
@@ -58,12 +66,14 @@ http:
         attribute: value
         xpath:
           - '/html/body/div/form/input'
+
       - type: json
         part: body
         name: id
         internal: true
         json:
           - '.id'
+
       - type: json
         part: body
         name: filename