label-studio@1.7.1 vulnerabilities
Label Studio annotation tool
-
latest version
1.14.0.post0
-
latest non vulnerable version
-
first published
5 years ago
-
latest version published
13 days ago
-
licenses detected
- [1.1.0rc0,)
Direct Vulnerabilities
Known vulnerabilities in the label-studio package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Improper Input Validation due to incomplete URL substring sanitization through the How to fix Improper Input Validation? Upgrade |
[,1.12.1)
|
label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Arbitrary File Upload due to improper security checks. This could lead to malicious files being uploaded. How to fix Arbitrary File Upload? Upgrade |
[,1.8.0)
|
label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') due to improper sanitization of data imported via the file upload feature before rendering within a Note: This is only exploitable if the attacker has permission to use the "data import" function. How to fix Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')? Upgrade |
[,1.11.0)
|
label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via the How to fix Server-Side Request Forgery (SSRF)? Upgrade |
[,1.11.0)
|
label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Cross-site Scripting via the avatar image upload functionality. An attacker can execute arbitrary JavaScript and perform malicious actions if they upload a crafted image file that gets rendered as an HTML file on the website. Note: If an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. This could have subsequent system impact How to fix Cross-site Scripting? Upgrade |
[,1.9.2.post0)
|
label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Cross-site Scripting via the remote import feature which allowed users to import data from a remote web source. An attacker can execute malicious JavaScript code in the context of the website by crafting a payload that, when visited, performs unauthorized actions such as adding a new super administrator user. Note: If an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. This may highly impact the subsequent system. How to fix Cross-site Scripting? Upgrade |
[,1.10.1)
|
label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor through the application's ability to set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). As the results of the query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character. Furthermore, the application had a hard coded secret key that an attacker can use to forge a session token of any user by exploiting this ORM Leak vulnerability to leak account password hashes. How to fix Exposure of Sensitive Information to an Unauthorized Actor? Upgrade |
[,1.9.2.post0)
|
label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor due to improper authentication sanitization. An attacker can forge session tokens for all users on Label Studio using the hard coded How to fix Exposure of Sensitive Information to an Unauthorized Actor? Upgrade |
[,1.8.2)
|
label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Directory Traversal which allows unauthenticated attackers to read all files on How to fix Directory Traversal? Upgrade |
[,1.7.2)
|