Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affecting label-studio package, versions [,1.11.0)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-LABELSTUDIO-6264034
- published 23 Feb 2024
- disclosed 22 Feb 2024
- credit isacaya
Introduced: 22 Feb 2024
CVE-2024-26152 Open this link in a new tabHow to fix?
Upgrade label-studio to version 1.11.0 or higher.
Overview
label-studio is a Label Studio annotation tool
Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') due to improper sanitization of data imported via the file upload feature before rendering within a Choices or Labels tag. An attacker can inject malicious scripts into the web page, which could be executed in the context of the user's browser session by uploading a file containing a payload.
Note:
This is only exploitable if the attacker has permission to use the "data import" function.
PoC
{
"data": {
"prompt": "labelstudio universe image",
"images": [
{
"value": "id123#0",
"style": "margin: 5px",
"html": "<img width='400' src='https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>"
}
]
}
}