CVAT Cross-Site Scripting Vulnerability via Malicious SVG Images and Labels

A cross-site scripting (XSS) vulnerability has been identified in CVAT, an open-source annotation tool for video and images. This issue affects versions 2.2.0 through 2.54.0. The vulnerability allows an attacker to execute arbitrary JavaScript in the context of a victim user's CVAT UI session. Exploitation requires the attacker to create a malicious label in a CVAT task or project and then persuade the victim to either edit the label or view a shape associated with it. Alternatively, the attacker can get the victim to upload a crafted SVG image while configuring a skeleton. Successful exploitation grants the attacker temporary access to all CVAT resources available to the victim user.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious JavaScript in the context of the victim user, potentially leading to unauthorized actions or data exposure within the CVAT application.

Reproduction

To reproduce this vulnerability, create a label containing a malicious SVG image that includes JavaScript execution payloads, such such as an image element with an 'onerror' attribute. Once the label is saved, get a victim user to either edit the label or view a shape that references it. Alternatively, upload a malicious SVG image when configuring a skeleton, which will trigger the execution of the embedded JavaScript.

Remediation

Users are advised to upgrade CVAT to version 2.55.0 or later.