CVE-2023-47115

Name of the Vulnerable Software and Affected Versions Label Studio versions prior to 1.9.2

Description The issue is a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. This could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. The vulnerability is due to the use of Django's built-in serve view, which determines the Content-Type of the response by the file extension in the URL path, and the lack of server-side validation of the file extension.

Recommendations For versions prior to 1.9.2, validate the file extension on the server side, not in client-side code. Remove the use of Django's serve view and implement a secure controller for viewing uploaded avatar images. Consider saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities. Avoid trusting user controlled inputs. Update to version 1.9.2 or later to fix the issue.