Cross-Site Scripting Vulnerability in Jupyter Notebook by Jupyter
CVE-2018-19351

6.1MEDIUM

Key Information:

Vendor

Jupyter

Status
Notebook
Vendor
CVE Published:
18 November 2018

What is CVE-2018-19351?

Jupyter Notebook versions before 5.7.1 are susceptible to a Cross-Site Scripting (XSS) vulnerability due to improper handling of nbconvert responses. Specifically, the nbconvert endpoints are treated as having the same origin as the notebook server, allowing unauthorized JavaScript execution with access to the server API. This is due to the lack of a proper Content Security Policy in the NbconvertFileHandler and NbconvertPostHandler. Users running affected versions should update to avoid potential exploitation.

References

https://groups.google.com/forum/#%21topic/jupyter/hWzu2BS...
x_refsource_MISC
https://pypi.org/project/notebook/#history
x_refsource_MISC
https://github.com/jupyter/notebook/blob/master/docs/sour...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.