David3107

**Name of the Vulnerable Software and Affected Versions** Label Studio versions prior to 1.22.0 **Description** Label Studio is a multi-type data labeling and annotation tool. A persistent stored cross-site scripting (XSS) issue exists in the custom hotkeys functionality. An authenticated attacker, or someone who can manipulate a user/administrator into updating their custom hotkeys, can inject JavaScript code. This code executes in other users’ browsers when they load pages using the templates/base.html template. The application exposes an **API endpoint** ''/api/current-user/token'' to the browser and has insufficient CSRF protection on some **API endpoints**, allowing the injected script to potentially obtain a victim’s **API token** or trigger token reset actions, leading to full account takeover and unauthorized **API access**. The **variable** `custom hotkeys` is involved in this issue. **Recommendations** Update to a version later than 1.22.0.