Label Studio Persistent Stored Cross-Site Scripting Vulnerability in Custom Hotkeys Functionality

A persistent stored cross-site scripting vulnerability has been identified in Label Studio versions through 1.22.0. This vulnerability resides in the custom hotkeys feature, allowing authenticated attackers to inject JavaScript that executes in the browsers of other users. The issue arises when the affected users load any page using the templates/base.html template. The injected script can exploit the application's API token endpoint, potentially leading to full account takeover and unauthorized API access.

Impact

Exploitation of this vulnerability allows for full account takeover of the affected user, including access to their API tokens. This could lead to unauthorized API access, data exfiltration, and, if the victim is an administrator, a wide system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user can send a PATCH request to update the 'custom_hotkeys' field with a payload that includes a script injection. Once the payload is injected, the user can load a page that uses the 'templates/base.html' template, which will execute the injected script in the browser. This script can then access the user's API token and send it to an external server, enabling account takeover.

Remediation

Users can update to Label Studio version 1.22.1, where this vulnerability has been patched.