CVE-2024-26152: Label Studio vulnerable to Cross-site Scripting if `<Choices>` or `<Labels>` are used in labeling config
(updated )
On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a Choices
or Labels
tag, resulting in an XSS vulnerability.
References
- github.com/HumanSignal/label-studio
- github.com/HumanSignal/label-studio/commit/5df9ae3828b98652e9fa290a19f4deedf51ef6c8
- github.com/HumanSignal/label-studio/pull/5232
- github.com/HumanSignal/label-studio/releases/tag/1.11.0
- github.com/HumanSignal/label-studio/security/advisories/GHSA-6xv9-957j-qfhg
- github.com/advisories/GHSA-6xv9-957j-qfhg
- github.com/pypa/advisory-database/tree/main/vulns/label-studio/PYSEC-2024-249.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-26152
Code Behaviors & Features
Detect and mitigate CVE-2024-26152 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →