Medok228

Name of the Vulnerable Software and Affected Versions: LinkAce versions prior to 2.1.9 Description: LinkAce is a self-hosted archive to collect website links. A stored cross-site scripting (XSS) vulnerability allows an attacker to inject arbitrary JavaScript, which is then executed in the context of a user's browser when a malicious link is clicked. The application contains a stored XSS vulnerability due to insufficient filtering and escaping of user-supplied data inserted into link attributes. Malicious JavaScript code can be saved in the database along with the link and executed in the user’s browser when clicking the link, leading to arbitrary script execution within the context of the site. Recommendations: Update LinkAce to version 2.1.9 or later.

Name of the Vulnerable Software and Affected Versions: Label Studio versions prior to 1.18.0 Description: A vulnerability in Label Studio allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attacks. The issue is reproducible when sending a properly formatted request to the "POST /projects/upload-example/" endpoint. The vulnerability is located at `label studio/projects/views.py` and is related to the `label config` parameter. Recommendations: For versions prior to 1.18.0, update to version 1.18.0, which contains a patch for the issue. As a temporary workaround, consider restricting access to the `POST /projects/upload-example/` endpoint and avoiding the use of the `label config` parameter until the update is applied.