Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-47115

Disclosure Date: January 23, 2024 •

CVE-2023-47115 CVSS v3 Base Score: 5.4

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image.

The file users/functions.py lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django’s built-in serve view, which is not secure for production use according to Django’s documentation. The issue with the Django serve view is that it determines the Content-Type of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a .html extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed.

Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django’s serve view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.4 Medium

Impact Score:

2.7

Exploitability Score:

2.3

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

Low

Availability (A):

None

Vendors

humansignal

Products

label studio

References

Canonical

CVE-2023-47115 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47115)

Miscellaneous

https://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x

https://github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3

https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development

https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49

https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26

Rapid7

Unknown

CVE-2023-47115

Unknown

Unknown

Required

Low

Network

CVE-2023-47115

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2023-47115

Unknown

Unknown

Required

Low

Network

CVE-2023-47115

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification