CVE-2023-47115: 
Python vulnerability analysis and mitigation

Label Studio, a popular open source data labeling tool, versions prior to 1.9.2 contained a cross-site scripting (XSS) vulnerability (CVE-2023-47115). The vulnerability could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as an HTML file on the website. The issue was discovered in August 2023 by Alex Brown from elttam and was patched in version 1.9.2 (GitHub Advisory).

The vulnerability exists because Label Studio only verifies that uploaded avatar files are images by extracting dimensions, without properly validating file extensions on the server side. The application uses Django's built-in serve view, which determines the Content-Type based on the file extension in the URL path. An attacker could bypass the client-side file extension validation and upload an image containing malicious HTML code with a .html extension, causing it to be rendered as an HTML page. The vulnerability has a CVSS v3.1 base score of 5.4 (Medium) according to NVD, with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the context of the Label Studio website when users visit a crafted avatar image. For example, an attacker could craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the compromised avatar image (GitHub Advisory).

The vulnerability was fixed in Label Studio version 1.9.2. The recommended mitigations include: validating file extensions on the server side instead of client-side code, removing the use of Django's serve view and implementing a secure controller for viewing uploaded avatar images, considering saving file content in the database rather than on the filesystem, and avoiding trust in user-controlled inputs (GitHub Advisory).