Label Studio Cross-Site Scripting Vulnerability in Project Upload Example Endpoint

A reflected cross-site scripting vulnerability has been identified in Label Studio versions prior to 1.18.0. This issue allows an attacker to inject a malicious script into a web page, potentially leading to data theft, session hijacking, unauthorized actions on behalf of the user, and other attacks. The vulnerability can be reproduced by sending a properly formatted request to the POST /projects/upload-example/ endpoint. In the source code, the vulnerability is located in label_studio/projects/views.py, specifically in the upload_example_using_config function, where user-supplied label configuration is not properly sanitized before being included in the response.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts in the context of the user's browser, which can lead to unauthorized actions being performed on behalf of the user or the theft of sensitive information, such as cookies.

Reproduction

To reproduce this vulnerability, send a POST request to the /projects/upload-example/ endpoint with a label_config parameter that includes a script injection payload, such as a JavaScript alert. Alternatively, create an HTML page that automatically submits a form with the injected script payload to the same endpoint.

Remediation

Users can upgrade to Label Studio version 1.18.0 or later, where this vulnerability has been patched.