CVE-2024-26152: 
Python vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Label Studio versions prior to 1.11.0. The vulnerability exists when data imported via the file upload feature is not properly sanitized before being rendered within Choices or Labels tags (GitHub Advisory). The vulnerability was assigned CVE-2024-26152 and was patched in Label Studio version 1.11.0, released on January 30, 2024 (Release Notes).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 score of 4.7 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. The issue specifically occurs when user-supplied data is uploaded through the file import feature and then rendered within the Choices or Labels tags without proper HTML sanitization (GitHub Advisory).

The vulnerability allows malicious scripts to be injected into the application code. When combined with other vulnerabilities such as CSRF, it can lead to more severe security implications. The issue can particularly serve as a vector for social engineering attacks (GitHub Advisory).

The vulnerability has been fixed in Label Studio version 1.11.0 through the implementation of comprehensive HTML sanitization. Users are advised to upgrade to version 1.11.0 or later to protect against this vulnerability (Release Notes).