CVE-2023-47117 PoC — Label Studio 安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-47117.yaml

Associated Vulnerability

Title:Label Studio 安全漏洞 (CVE-2023-47117)
Description:Label Studio是Heartex开源的一个开源数据标注工具。允许您使用简单明了的 UI 标记音频、文本、图像、视频和时间序列等数据类型，并导出为各种模型格式。 Label Studio 1.9.2post0之前版本存在安全漏洞，该漏洞源于允许用户不安全地设置用于过滤任务的过滤器。

Description

An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character.

File Snapshot


 id: CVE-2023-47117

info:
  name: Label Studio - Sensitive Information Exposure
  author: iamnoooob,

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!