SCA: security update for label-studio (GHSA-q68h-xwq5-mm7x)

medium Tenable Self-Hosted Container Security Plugin ID 417921

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site
scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image
file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript
could result in an attacker performing malicious actions on Label Studio users if they visit the crafted
avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super
Administrator user if a Django administrator visits the image. The file `users/functions.py` lines 18-49
show that the only verification check is that the file is an image by extracting the dimensions from the
file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for
production use according to Django's documentation. The issue with the Django `serve` view is that it
determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an
attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension
to be rendered as a HTML page. The only file extension validation is performed on the client-side, which
can be easily bypassed. Version 1.9.2 fixes this issue. Other remediation strategies include validating
the file extension on the server side, not in client-side code; removing the use of Django's `serve` view
and implement a secure controller for viewing uploaded avatar images; saving file content in the database
rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding
trusting user controlled inputs. (CVE-2023-47115)

See Also

https://github.com/advisories/GHSA-q68h-xwq5-mm7x

Plugin Details

Severity: Medium

ID: 417921

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2023-47115

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/24/2024

Vulnerability Publication Date: 1/23/2024

Reference Information

CVE: CVE-2023-47115

cwe: CWE-79