CVE-2023-47115
Published: 23 January 2024
Summary
CVE-2023-47115 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Humansignal Label Studio. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010).
Deeper analysis
Label Studio versions prior to 1.9.2 contain a cross-site scripting vulnerability in the avatar upload functionality. The affected code in users/functions.py performs only a client-side image dimension check before storing the file, after which Django's built-in serve view delivers the content using the file extension from the URL to set the Content-Type header. An attacker can therefore supply a file containing HTML and JavaScript that is rendered directly in a victim's browser.
An authenticated user can upload a maliciously named avatar image that bypasses the client-side filter. When another user, particularly a Django administrator, views the avatar, the embedded script executes with the victim's privileges, enabling actions such as creation of a new superuser account.
The GitHub Security Advisory and the 1.9.2 patch recommend upgrading to the fixed release. Additional hardening steps include performing server-side file-extension validation, replacing Django's serve view with a dedicated controller that enforces safe Content-Type handling, and storing avatar content in the database rather than the filesystem.
The EPSS score rose from a low baseline to a peak of 0.27 on 2025-01-22 before receding, indicating a period of increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0082
Vulnerability details
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered…
more
as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed. Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Label Studio is an open-source data labeling platform used in AI/ML workflows for annotating datasets, fitting under 'Other Platforms' as it supports data preparation for various AI tasks like computer vision and NLP.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vulnerability in web application enables exploitation of public-facing application (T1190) via crafted HTML/JS upload, arbitrary JavaScript execution in victim browsers (T1059.007), content injection (T1659), and account creation (T1136) such as new super administrator users.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.