CVE-2024-23633

Name of the Vulnerable Software and Affected Versions Label Studio versions prior to 1.10.1

Description The remote import feature in Label Studio allowed users to import data from a remote web source, which could be abused to download a HTML file that executed malicious JavaScript code in the context of the Label Studio website. This could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. The Content-Type of the response was determined by the file extension, since mimetypes.guess type guesses the Content-Type based on the file extension. An attacker could import a .html file that would execute JavaScript when visited. The API endpoint /api/projects/{project id}/file-uploads?ids=[{download id}] was used to retrieve the downloaded file path.

Recommendations For all user-provided files that are downloaded by Label Studio, set the Content-Security-Policy: sandbox; response header when viewed on the site. Restrict the allowed file extensions that may be downloaded. Update to version 1.10.1 or later, which contains a patch for this issue.