Label Studio
CVE-2024-26152
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Summary
On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a Choices or Labels tag, resulting in an XSS vulnerability.
Details
Need permission to use the "data import" function. This was reproduced on Label Studio 1.10.1.
PoC
- Create a project.
- Upload a file containing the payload using the "Upload Files" function.
!2 Upload a file containing the payload using the Upload Files function !3 complete
The following are the contents of the files used in the PoC
{
"data": {
"prompt": "labelstudio universe image",
"images": [
{
"value": "id123#0",
"style": "margin: 5px",
"html": "<img width='400' src='https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>"
}
]
}
}- Select the text-to-image generation labeling template of Ranking and scoring
!3 Select the text-to-image generation labelling template for Ranking and scoring !5 save
- Select a task
- Check that the script is running
!5 Check that the script is running
Impact
Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.
AnalysisAI
Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users.
Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a Choices or Labels tag, resulting in an XSS vulnerability.
Details Need permission to use the "data import" function. This was reproduced on Label Studio 1.10.1.
PoC 1. Create a project. !Create a project 2. Upload a file containing the payload using the "Upload Files" function. !2 Upload a file containing the payload using the Upload Files function !3 complete The following are the contents of the files used in the PoC ` { "data": { "prompt": "labelstudio universe image", "images": [ { "value": "id123#0", "style": "margin: 5px", "html": "<img width='400' src='https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>" } ] } } ` 3. Select the text-to-image generation labeling template of Ranking and scoring !3 Select the text-to-image generation labelling template for Ranking and scoring !5 save 4. Select a task !4 Select a task 5. Check that the script is running !5 Check that the script is running
Impact Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering. Affected products include: Humansignal Label Studio. Version information: prior to 1.11.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Label Studio
View allLabel Studio is an open source data labeling tool. Rated medium severity (CVSS 6.1), this vulnerability is remotely expl
Label Studio is a multi-type data labeling and annotation tool with standardized output format. Rated high severity (CVS
Label Studio is an open source data labeling tool. Rated high severity (CVSS 8.6), this vulnerability is remotely exploi
Label Studio is a multi-type data labeling and annotation tool. Rated high severity (CVSS 7.6), this vulnerability is re
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.
Label Studio is an open source data labeling tool. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi
Stored XSS in Label Studio's custom_hotkeys feature allows authenticated attackers to inject malicious JavaScript that e
Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote w
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today