{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-16T22:52:50.505","vulnerabilities":[{"cve":{"id":"CVE-2024-26152","sourceIdentifier":"security-advisories@github.com","published":"2024-02-22T22:15:47.310","lastModified":"2025-05-16T14:18:25.530","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"### Summary\nOn all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability.\n\n### Details\nNeed permission to use the \"data import\" function. This was reproduced on Label Studio 1.10.1.\n\n### PoC\n\n1. Create a project.\n![Create a project](https://github.com/HumanSignal/label-studio/assets/3943358/9b1536ad-feac-4238-a1bd-ca9b1b798673)\n\n2. Upload a file containing the payload using the \"Upload Files\" function.\n![2  Upload a file containing the payload using the Upload Files function](https://github.com/HumanSignal/label-studio/assets/3943358/26bb7af1-1cd2-408f-9adf-61e31a5b7328)\n![3  complete](https://github.com/HumanSignal/label-studio/assets/3943358/f2f62774-1fa6-4456-9e6f-8fa1ca0a2d2e)\n\nThe following are the contents of the files used in the PoC\n```\n{\n  \"data\": {\n    \"prompt\": \"labelstudio universe image\",\n    \"images\": [\n      {\n        \"value\": \"id123#0\",\n        \"style\": \"margin: 5px\",\n        \"html\": \"<img width='400' src='https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>\"\n      }\n    ]\n  }\n}\n```\n\n3. Select the text-to-image generation labeling template of Ranking and scoring\n![3  Select the text-to-image generation labelling template for Ranking and scoring](https://github.com/HumanSignal/label-studio/assets/3943358/f227f49c-a718-4738-bc2a-807da4f97155)\n![5  save](https://github.com/HumanSignal/label-studio/assets/3943358/9b529f8a-8e99-4bb0-bdf6-bb7a95c9b75d)\n\n4. Select a task\n![4  Select a task](https://github.com/HumanSignal/label-studio/assets/3943358/71856b7a-2b1f-44ea-99ab-fc48bc20caa7)\n\n5. Check that the script is running\n![5  Check that the script is running](https://github.com/HumanSignal/label-studio/assets/3943358/e396ae7b-a591-4db7-afe9-5bab30b48cb9)\n\n### Impact\nMalicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.\n"},{"lang":"es","value":"### Resumen En todas las versiones de Label Studio anteriores a la 1.11.0, los datos importados mediante la función de carga de archivos no se desinfectan adecuadamente antes de procesarse dentro de [`Choices`](https://labelstud.io/tags/choices) o [`Labels`](https://labelstud.io/tags/labels), lo que genera una vulnerabilidad XSS. ### Detalles Necesita permiso para utilizar la función \"importación de datos\". Esto fue reproducido en Label Studio 1.10.1. ### PoC 1. Cree un proyecto. ![Crear un proyecto](https://github.com/HumanSignal/label-studio/assets/3943358/9b1536ad-feac-4238-a1bd-ca9b1b798673) 2. Cargue un archivo que contenga la carga útil usando la función \"Cargar archivos\" . ![2 Cargue un archivo que contenga la carga útil usando la función Cargar archivos](https://github.com/HumanSignal/label-studio/assets/3943358/26bb7af1-1cd2-408f-9adf-61e31a5b7328) ![3 completo]( https://github.com/HumanSignal/label-studio/assets/3943358/f2f62774-1fa6-4456-9e6f-8fa1ca0a2d2e) Los siguientes son los contenidos de los archivos utilizados en el PoC ``` { \"data\": { \" Prompt\": \"imagen del universo de labelstudio\", \"images\": [ { \"value\": \"id123#0\", \"style\": \"margin: 5px\", \"html\": \"\" } ] } } ``` 3. Seleccione la plantilla de etiquetado de generación de texto a imagen de Clasificación y puntuación![3 Seleccione la plantilla de etiquetado de generación de texto a imagen para Clasificación y puntuación](https://github.com/HumanSignal/label-studio/assets/3943358/f227f49c-a718-4738-bc2a-807da4f97155)![ 5 guardar](https://github.com/HumanSignal/label-studio/assets/3943358/9b529f8a-8e99-4bb0-bdf6-bb7a95c9b75d) 4. ¡Seleccione una tarea! [4 Seleccione una tarea](https://github.com/HumanSignal/label-studio/assets/3943358/71856b7a-2b1f-44ea-99ab-fc48bc20caa7) 5. ¡Compruebe que el script se esté ejecutando! [5 Compruebe que el script se esté ejecutando](https://github.com/ HumanSignal/label-studio/assets/3943358/e396ae7b-a591-4db7-afe9-5bab30b48cb9) ### Impacto Se pueden inyectar scripts maliciosos en el código y, cuando se vinculan con vulnerabilidades como CSRF, pueden causar un daño aún mayor. En particular, puede convertirse en una fuente de nuevos ataques, especialmente cuando se vincula a la ingeniería social."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:humansignal:label_studio:*:*:*:*:*:*:*:*","versionEndExcluding":"1.11.0","matchCriteriaId":"27567917-A7FB-4767-B9F6-6C8D422D62E7"}]}]}],"references":[{"url":"https://github.com/HumanSignal/label-studio/commit/5df9ae3828b98652e9fa290a19f4deedf51ef6c8","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/HumanSignal/label-studio/pull/5232","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/HumanSignal/label-studio/releases/tag/1.11.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6xv9-957j-qfhg","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/HumanSignal/label-studio/commit/5df9ae3828b98652e9fa290a19f4deedf51ef6c8","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/HumanSignal/label-studio/pull/5232","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/HumanSignal/label-studio/releases/tag/1.11.0","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes"]},{"url":"https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6xv9-957j-qfhg","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Vendor Advisory"]}]}}]}