SCA: security update for label-studio (GHSA-6xv9-957j-qfhg)

medium Tenable Cloud Security Plugin ID 411714

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not
properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or
[`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability. ### Details Need
permission to use the "data import" function. This was reproduced on Label Studio 1.10.1. ### PoC 1.
Create a project. ![Create a project](https://github.com/HumanSignal/label-studio/assets/3943358/9b1536ad-
feac-4238-a1bd-ca9b1b798673) 2. Upload a file containing the payload using the "Upload Files" function.
![2 Upload a file containing the payload using the Upload Files
function](https://github.com/HumanSignal/label-studio/assets/3943358/26bb7af1-1cd2-408f-9adf-61e31a5b7328)
![3 complete](https://github.com/HumanSignal/label-
studio/assets/3943358/f2f62774-1fa6-4456-9e6f-8fa1ca0a2d2e) The following are the contents of the files
used in the PoC ``` { "data": { "prompt": "labelstudio universe image", "images": [ { "value": "id123#0",
"style": "margin: 5px", "html": "<img width='400' src='https://labelstud.io/_astro/images-
tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>" } ] } } ``` 3. Select the text-to-image
generation labeling template of Ranking and scoring ![3 Select the text-to-image generation labelling
template for Ranking and scoring](https://github.com/HumanSignal/label-
studio/assets/3943358/f227f49c-a718-4738-bc2a-807da4f97155) ![5
save](https://github.com/HumanSignal/label-studio/assets/3943358/9b529f8a-8e99-4bb0-bdf6-bb7a95c9b75d) 4.
Select a task ![4 Select a task](https://github.com/HumanSignal/label-
studio/assets/3943358/71856b7a-2b1f-44ea-99ab-fc48bc20caa7) 5. Check that the script is running ![5 Check
that the script is running](https://github.com/HumanSignal/label-
studio/assets/3943358/e396ae7b-a591-4db7-afe9-5bab30b48cb9) ### Impact Malicious scripts can be injected
into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In
particular, It can become a source of further attacks, especially when linked to social engineering.
(CVE-2024-26152)

Solution

Update the label-studio library and its related packages to version 1.11.0 or later.

See Also

https://github.com/advisories/GHSA-6xv9-957j-qfhg

Plugin Details

Severity: Medium

ID: 411714

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2024-26152

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/22/2024

Vulnerability Publication Date: 2/22/2024

Reference Information

CVE: CVE-2024-26152

cwe: CWE-79