Cross-Site Scripting Vulnerability in Jupyter Notebook by Jupyter
CVE-2018-19352

6.1MEDIUM

Key Information:

Vendor

Jupyter

Status
Notebook
Vendor
CVE Published:
18 November 2018

What is CVE-2018-19352?

A cross-site scripting (XSS) vulnerability exists in Jupyter Notebook prior to version 5.7.2. This flaw is attributable to unsafe handling of certain URLs in the notebook/static/tree/js/notebooklist.js file. Attackers could exploit this vulnerability by providing a crafted directory name, which could lead to unauthorized script execution in users' browsers. As a result, users may be tricked into revealing sensitive information or executing unintended actions. It is recommended that users upgrade to the latest version to mitigate the risks associated with this vulnerability.

References

https://github.com/jupyter/notebook/commit/288b73e1edbf52...
x_refsource_MISC
https://pypi.org/project/notebook/#history
x_refsource_MISC
https://github.com/jupyter/notebook/blob/master/docs/sour...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.