CVE-2023-47115: Cross-site Scripting Vulnerability on Avatar Upload
(updated )
The following code snippet in Label Studio shows that the only verification check is that the file is an image by extracting the dimensions from the file.
def hash_upload(instance, filename):
filename = str(uuid.uuid4())[0:8] + '-' + filename
return settings.AVATAR_PATH + '/' + filename <3>
def check_avatar(files):
images = list(files.items())
if not images:
return None
filename, avatar = list(files.items())[0] # get first file
w, h = get_image_dimensions(avatar) <1>
if not w or not h:
raise forms.ValidationError("Can't read image, try another one")
References
- docs.djangoproject.com/en/4.2/ref/views/
- github.com/HumanSignal/label-studio
- github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py
- github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py
- github.com/HumanSignal/label-studio/commit/a7a71e594f32ec4af8f3f800d5ccb8662e275da3
- github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x
- github.com/advisories/GHSA-q68h-xwq5-mm7x
- github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2024-126.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-47115
Detect and mitigate CVE-2023-47115 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →