Label Studio Cross-Site Scripting Vulnerability in Upload Example Endpoint

A Cross-Site Scripting (XSS) vulnerability has been identified in Label Studio versions prior to 1.16.0. The issue arises in the '/projects/upload-example' endpoint, which allows the injection of arbitrary HTML via a GET request with a specially crafted 'label_config' query parameter. Attackers can exploit this by embedding malicious HTML or JavaScript into an XML label configuration, which is then executed in the context of the victim's browser. Although the application implements a Content Security Policy (CSP), it is only active in report-only mode, failing to prevent script execution. This vulnerability could lead to the theft of sensitive information, session hijacking, or other malicious activities.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, potentially leading to the theft of sensitive data, session hijacking, or other malicious actions.

Reproduction

To reproduce this vulnerability, create a label configuration that includes an XSS payload, such as an image tag with an 'onerror' event handler executing JavaScript. URL encode this payload and send a GET request to the '/projects/upload-example' endpoint with the 'label_config' query parameter set to the encoded payload. When the crafted URL is accessed, the payload is executed, demonstrating the XSS vulnerability.

Remediation

Users are advised to update to Label Studio version 1.16.0 or later, where this vulnerability has been patched.