.. / CVE-2023-47115

Exploit for Label Studio - Cross-Site Scripting (CVE-2023-47115)

Description:

Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.

Nuclei Template

View the template here CVE-2023-47115.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-47115.yaml
Copy

References:

https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development
https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26
https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49
https://github.com/advisories/GHSA-q68h-xwq5-mm7x
https://nvd.nist.gov/vuln/detail/CVE-2023-47115