Количество 3
Количество 3
CVE-2024-26152
### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability. ### Details Need permission to use the "data import" function. This was reproduced on Label Studio 1.10.1. ### PoC 1. Create a project.  2. Upload a file containing the payload using the "Upload Files" function.   The following are the contents of the files used in the PoC ``` { "data": { "prompt": "
CVE-2024-26152
### Summary On all Label Studio versions prior to 1.11.0, data importe ...
GHSA-6xv9-957j-qfhg
Label Studio vulnerable to Cross-site Scripting if `<Choices>` or `<Labels>` are used in labeling config
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2024-26152 ### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability. ### Details Need permission to use the "data import" function. This was reproduced on Label Studio 1.10.1. ### PoC 1. Create a project.  2. Upload a file containing the payload using the "Upload Files" function.   The following are the contents of the files used in the PoC ``` { "data": { "prompt": " | CVSS3: 4.7 | 1% Низкий | почти 2 года назад |
| CVE-2024-26152 ### Summary On all Label Studio versions prior to 1.11.0, data importe ... | CVSS3: 4.7 | 1% Низкий | почти 2 года назад |
| GHSA-6xv9-957j-qfhg Label Studio vulnerable to Cross-site Scripting if `<Choices>` or `<Labels>` are used in labeling config | CVSS3: 4.7 | 1% Низкий | почти 2 года назад |
Уязвимостей на страницу