Cross-site Scripting Affecting label-studio package, versions [,1.10.1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-LABELSTUDIO-6186427
- published 24 Jan 2024
- disclosed 24 Jan 2024
- credit alex-elttam
Introduced: 24 Jan 2024
CVE-2024-23633 Open this link in a new tabHow to fix?
Upgrade label-studio to version 1.10.1 or higher.
Overview
label-studio is a Label Studio annotation tool
Affected versions of this package are vulnerable to Cross-site Scripting via the remote import feature which allowed users to import data from a remote web source. An attacker can execute malicious JavaScript code in the context of the website by crafting a payload that, when visited, performs unauthorized actions such as adding a new super administrator user.
Note:
If an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. This may highly impact the subsequent system.
Workarounds
For all user provided files that are downloaded by Label Studio, set the Content-Security-Policy: sandbox; response header when viewed on the site. The sandbox directive restricts a page's actions to prevent popups, execution of plugins and scripts and enforces a same-origin policy documentation.
Restrict the allowed file extensions that could be downloaded.