{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-47115", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-30T19:57:51.674Z", "datePublished": "2024-01-23T22:49:03.958Z", "dateUpdated": "2024-08-02T21:01:22.795Z"}, "containers": {"cna": {"title": "Label Studio XSS Vulnerability on Avatar Upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x"}, {"name": "https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3", "tags": ["x_refsource_MISC"], "url": "https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3"}, {"name": "https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development", "tags": ["x_refsource_MISC"], "url": "https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development"}, {"name": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49", "tags": ["x_refsource_MISC"], "url": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49"}, {"name": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26", "tags": ["x_refsource_MISC"], "url": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26"}], "affected": [{"vendor": "HumanSignal", "product": "label-studio", "versions": [{"version": "< 1.9.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-23T22:49:03.958Z"}, "descriptions": [{"lang": "en", "value": "Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image.\n\nThe file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed.\n\nVersion 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs."}], "source": {"advisory": "GHSA-q68h-xwq5-mm7x", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:01:22.795Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x"}, {"name": "https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3"}, {"name": "https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development"}, {"name": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49"}, {"name": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "326DCEFD-7346-4651-80AD-728FE9E4BD87", "versionEndExcluding": "1.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image.\n\nThe file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed.\n\nVersion 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs."}, {"lang": "es", "value": "Label Studio es una popular herramienta de etiquetado de datos de c\u00f3digo abierto. Las versiones anteriores a la 1.9.2 tienen una vulnerabilidad de cross-site scripting (XSS) que podr\u00eda explotarse cuando un usuario autenticado carga un archivo de imagen manipulado para su avatar que se representa como un archivo HTML en el sitio web. La ejecuci\u00f3n de JavaScript arbitrario podr\u00eda provocar que un atacante realice acciones maliciosas en los usuarios de Label Studio si visitan la imagen de avatar creada. Por ejemplo, un atacante puede crear un payload de JavaScript que agregue un nuevo usuario de Superadministrador de Django si un administrador de Django visita la imagen. Las l\u00edneas 18-49 del archivo `users/functions.py` muestran que la \u00fanica verificaci\u00f3n de verificaci\u00f3n es que el archivo es una imagen extrayendo las dimensiones del archivo. Label Studio sirve im\u00e1genes de avatar utilizando la vista \"servir\" incorporada de Django, que no es segura para uso en producci\u00f3n seg\u00fan la documentaci\u00f3n de Django. El problema con la vista `serve` de Django es que determina el `Tipo de contenido` de la respuesta por la extensi\u00f3n del archivo en la ruta URL. Por lo tanto, un atacante puede cargar una imagen que contenga c\u00f3digo HTML malicioso y nombrar el archivo con una extensi\u00f3n \".html\" para que se represente como una p\u00e1gina HTML. La \u00fanica validaci\u00f3n de la extensi\u00f3n de archivo se realiza en el lado del cliente, lo que se puede omitir f\u00e1cilmente. La versi\u00f3n 1.9.2 soluciona este problema. Otras estrategias de correcci\u00f3n incluyen validar la extensi\u00f3n del archivo en el lado del servidor, no en el c\u00f3digo del lado del cliente; eliminar el uso de la vista `serve` de Django e implementar un controlador seguro para ver las im\u00e1genes de avatar cargadas; guardar el contenido del archivo en la base de datos en lugar de en el sistema de archivos para mitigar otras vulnerabilidades relacionadas con los archivos; y evitar confiar en las entradas controladas por el usuario."}], "id": "CVE-2023-47115", "lastModified": "2024-02-01T15:48:10.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-23T23:15:08.100", "references": [{"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}