Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | jupyter-notebook | < 5.7.4-1 | jupyter-notebook_5.7.4-1_all.deb |
Debian | 11 | all | jupyter-notebook | < 5.7.4-1 | jupyter-notebook_5.7.4-1_all.deb |
Debian | 10 | all | jupyter-notebook | < 5.7.4-1 | jupyter-notebook_5.7.4-1_all.deb |
Debian | 999 | all | jupyter-notebook | < 5.7.4-1 | jupyter-notebook_5.7.4-1_all.deb |
Debian | 13 | all | jupyter-notebook | < 5.7.4-1 | jupyter-notebook_5.7.4-1_all.deb |