CVE-2023-47115

Summary

CVE-2023-47115 is a cross-site scripting (XSS) vulnerability affecting Label Studio, an open-source data labeling tool, prior to version 1.9.2. Authenticated users can upload malicious image files, which are rendered as HTML on the website. Attackers can execute arbitrary JavaScript code, potentially adding new Django Super Administrator users or performing other malicious actions. The vulnerability arises due to insufficient file extension validation in Django's `serve` view, which is not secure for production use. An attacker can upload an image with malicious HTML content, named with a `.html` extension, to bypass client-side validation and trigger the XSS vulnerability. This issue is resolved in Label Studio version 1.9.2, but other mitigation strategies include server-side file extension validation or removing the use of Django's `serve` view and implementing a secure controller for viewing uploaded avatar images.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.