CVE-2024-26152

Advisory

Label Studio before 1.11.0 is vulnerable to cross-site scripting (XSS) because it fails to properly sanitize data uploaded via the file upload feature before it is rendered within Choices or Labels tags. This vulnerability allows attackers to inject malicious scripts that could execute within the user's browser session. However, exploitation is contingent upon the attacker having permission to use the "data import" function.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/HumanSignal/label-studio/commit/5df9ae3828b98652e9fa290a19f4deedf51ef6c8
• https://github.com/HumanSignal/label-studio/pull/5232
• https://github.com/HumanSignal/label-studio/releases/tag/1.11.0
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26152