Cyber Resilience

CVE-2023-47115

HighPublic PoC

Published: 23 January 2024

Published
23 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0425 89.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-47115 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Humansignal Label Studio. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010).

Deeper analysis

Label Studio versions prior to 1.9.2 contain a cross-site scripting vulnerability in the avatar upload functionality. The affected code in users/functions.py performs only a client-side image dimension check before storing the file, after which Django's built-in serve view delivers the content using the file extension from the URL to set the Content-Type header. An attacker can therefore supply a file containing HTML and JavaScript that is rendered directly in a victim's browser.

An authenticated user can upload a maliciously named avatar image that bypasses the client-side filter. When another user, particularly a Django administrator, views the avatar, the embedded script executes with the victim's privileges, enabling actions such as creation of a new superuser account.

The GitHub Security Advisory and the 1.9.2 patch recommend upgrading to the fixed release. Additional hardening steps include performing server-side file-extension validation, replacing Django's serve view with a dedicated controller that enforces safe Content-Type handling, and storing avatar content in the database rather than the filesystem.

The EPSS score rose from a low baseline to a peak of 0.27 on 2025-01-22 before receding, indicating a period of increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered…

more

as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed. Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Label Studio is an open-source data labeling platform used in AI/ML workflows for annotating datasets, fitting under 'Other Platforms' as it supports data preparation for various AI tasks like computer vision and NLP.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
T1659 Content Injection Initial Access
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic.
Why these techniques?

XSS vulnerability in web application enables exploitation of public-facing application (T1190) via crafted HTML/JS upload, arbitrary JavaScript execution in victim browsers (T1059.007), content injection (T1659), and account creation (T1136) such as new super administrator users.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010: AI Supply Chain Compromise

Affected Assets

humansignal
label studio
≤ 1.9.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References