CVE-2024-23633: 
Python vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Label Studio's data import feature affecting all versions prior to 1.10.1. The vulnerability (CVE-2024-23633) was identified in January 2024 and allowed attackers to execute malicious JavaScript code in the context of the Label Studio website through the remote import feature (Label Studio Advisory).

The vulnerability existed in Label Studio's remote import functionality where files downloaded from external URLs were not properly sanitized. The issue stemmed from the Content-Type being determined by the file extension using mimetypes.guess_type, allowing attackers to upload HTML files containing malicious JavaScript that would execute when viewed. The vulnerability has a CVSS v3.1 score of 4.7 (Moderate) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N (Label Studio Advisory).

When exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the Label Studio website. This could potentially lead to malicious actions being performed on behalf of Label Studio users who visit crafted content, including the possibility of adding unauthorized administrator accounts if accessed by a Django administrator (Label Studio Advisory).

The vulnerability has been patched in Label Studio version 1.10.1. The recommended mitigation includes setting the Content-Security-Policy: sandbox; response header for all user-provided files downloaded by Label Studio, and restricting the allowed file extensions that can be downloaded (Label Studio Advisory).