U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-26152

Change History

New CVE Received by NIST 2/22/2024 5:15:47 PM

Action Type Old Value New Value
Added CVSS V3.1

GitHub, Inc. AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Added CWE

GitHub, Inc. CWE-79
Added Description

### Summary
On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability.

### Details
Need permission to use the "data import" function. This was reproduced on Label Studio 1.10.1.

### PoC

1. Create a project.
![Create a project](https://github.com/HumanSignal/label-studio/assets/3943358/9b1536ad-feac-4238-a1bd-ca9b1b798673)

2. Upload a file containing the payload using the "Upload Files" function.
![2  Upload a file containing the payload using the Upload Files function](https://github.com/HumanSignal/label-studio/assets/3943358/26bb7af1-1cd2-408f-9adf-61e31a5b7328)
![3  complete](https://github.com/HumanSignal/label-studio/assets/3943358/f2f62774-1fa6-4456-9e6f-8fa1ca0a2d2e)

The following are the contents of the files used in the PoC
  "data": {
    "prompt": "labelstudio universe image",
    "images": [
        "value": "id123#0",
        "style": "margin: 5px",
        "html": "<img width='400' src='https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>"

3. Select the text-to-image generation labeling template of Ranking and scoring
![3  Select the text-to-image generation labelling template for Ranking and scoring](https://github.com/HumanSignal/label-studio/assets/3943358/f227f49c-a718-4738-bc2a-807da4f97155)
![5  save](https://github.com/HumanSignal/label-studio/assets/3943358/9b529f8a-8e99-4bb0-bdf6-bb7a95c9b75d)

4. Select a task
![4  Select a task](https://github.com/HumanSignal/label-studio/assets/3943358/71856b7a-2b1f-44ea-99ab-fc48bc20caa7)

5. Check that the script is running
![5  Check that the script is running](https://github.com/HumanSignal/label-studio/assets/3943358/e396ae7b-a591-4db7-afe9-5bab30b48cb9)

### Impact
Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.
Added Reference

GitHub, Inc. https://github.com/HumanSignal/label-studio/commit/5df9ae3828b98652e9fa290a19f4deedf51ef6c8 [No types assigned]
Added Reference

GitHub, Inc. https://github.com/HumanSignal/label-studio/pull/5232 [No types assigned]
Added Reference

GitHub, Inc. https://github.com/HumanSignal/label-studio/releases/tag/1.11.0 [No types assigned]
Added Reference

GitHub, Inc. https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6xv9-957j-qfhg [No types assigned]