CVE - CVE-2023-47115

CVE-ID
CVE-2023-47115	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed. Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development URL:https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development MISC:https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49 URL:https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49 MISC:https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26 URL:https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26 MISC:https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3 URL:https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3 MISC:https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x URL:https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20231030	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20231030)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)