CVE-2024-26152

Name of the Vulnerable Software and Affected Versions Label Studio versions prior to 1.11.0

Description The issue arises from improper sanitization of data imported via the file upload feature, which is then rendered within a Choices or Labels tag, resulting in an XSS vulnerability. To exploit this, an attacker needs permission to use the "data import" function. This vulnerability can lead to malicious scripts being injected into the code. When combined with other vulnerabilities, such as CSRF, it can cause greater damage, potentially leading to further attacks, especially those linked to social engineering.

Recommendations For Label Studio versions prior to 1.11.0, update to version 1.11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the file upload feature to minimize the risk of exploitation. Additionally, avoid using the html parameter in the affected API endpoint until the issue is resolved.