cve/2024/CVE-2024-26152.md

### [CVE-2024-26152](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26152)
![](https://img.shields.io/static/v1?label=Product&message=label-studio&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%201.11.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%3A%20Improper%20Neutralization%20of%20Input%20During%20Web%20Page%20Generation%20('Cross-site%20Scripting')&color=brighgreen)

### Description

### SummaryOn all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability.### DetailsNeed permission to use the "data import" function. This was reproduced on Label Studio 1.10.1.### PoC1. Create a project.![Create a project](https://github.com/HumanSignal/label-studio/assets/3943358/9b1536ad-feac-4238-a1bd-ca9b1b798673)2. Upload a file containing the payload using the "Upload Files" function.![2  Upload a file containing the payload using the Upload Files function](https://github.com/HumanSignal/label-studio/assets/3943358/26bb7af1-1cd2-408f-9adf-61e31a5b7328)![3  complete](https://github.com/HumanSignal/label-studio/assets/3943358/f2f62774-1fa6-4456-9e6f-8fa1ca0a2d2e)The following are the contents of the files used in the PoC```{  "data": {    "prompt": "labelstudio universe image",    "images": [      {        "value": "id123#0",        "style": "margin: 5px",        "html": "<img width='400' src='https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>"      }    ]  }}```3. Select the text-to-image generation labeling template of Ranking and scoring![3  Select the text-to-image generation labelling template for Ranking and scoring](https://github.com/HumanSignal/label-studio/assets/3943358/f227f49c-a718-4738-bc2a-807da4f97155)![5  save](https://github.com/HumanSignal/label-studio/assets/3943358/9b529f8a-8e99-4bb0-bdf6-bb7a95c9b75d)4. Select a task![4  Select a task](https://github.com/HumanSignal/label-studio/assets/3943358/71856b7a-2b1f-44ea-99ab-fc48bc20caa7)5. Check that the script is running![5  Check that the script is running](https://github.com/HumanSignal/label-studio/assets/3943358/e396ae7b-a591-4db7-afe9-5bab30b48cb9)### ImpactMalicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.

### POC

#### Reference
- https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6xv9-957j-qfhg

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2024-26152](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26152)`
			`![](https://img.shields.io/static/v1?label=Product&message=label-studio&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%201.11.0%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%3A%20Improper%20Neutralization%20of%20Input%20During%20Web%20Page%20Generation%20('Cross-site%20Scripting')&color=brighgreen)`

			`### Description`

			### SummaryOn all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability.### DetailsNeed permission to use the "data import" function. This was reproduced on Label Studio 1.10.1.### PoC1. Create a project.![Create a project](https://github.com/HumanSignal/label-studio/assets/3943358/9b1536ad-feac-4238-a1bd-ca9b1b798673)2. Upload a file containing the payload using the "Upload Files" function.![2 Upload a file containing the payload using the Upload Files function](https://github.com/HumanSignal/label-studio/assets/3943358/26bb7af1-1cd2-408f-9adf-61e31a5b7328)![3 complete](https://github.com/HumanSignal/label-studio/assets/3943358/f2f62774-1fa6-4456-9e6f-8fa1ca0a2d2e)The following are the contents of the files used in the PoC```{ "data": { "prompt": "labelstudio universe image", "images": [ { "value": "id123#0", "style": "margin: 5px", "html": "<img width='400' src='https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>" } ] }}```3. Select the text-to-image generation labeling template of Ranking and scoring![3 Select the text-to-image generation labelling template for Ranking and scoring](https://github.com/HumanSignal/label-studio/assets/3943358/f227f49c-a718-4738-bc2a-807da4f97155)![5 save](https://github.com/HumanSignal/label-studio/assets/3943358/9b529f8a-8e99-4bb0-bdf6-bb7a95c9b75d)4. Select a task![4 Select a task](https://github.com/HumanSignal/label-studio/assets/3943358/71856b7a-2b1f-44ea-99ab-fc48bc20caa7)5. Check that the script is running![5 Check that the script is running](https://github.com/HumanSignal/label-studio/assets/3943358/e396ae7b-a591-4db7-afe9-5bab30b48cb9)### ImpactMalicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.

			`### POC`

			`#### Reference`
			`- https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6xv9-957j-qfhg`

			`#### Github`
			`- https://github.com/fkie-cad/nvd-json-data-feeds`