3 matches found
GHSA-FCW5-X6J4-CCMP Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP
The nbconvert HTTP handlers in jupyterserver render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a displaydata outpu...
Jupyter Notebook Cross-Site Scripting Vulnerability (CNVD-2019-09602)
Jupyter Notebook is an open source web application that creates and shares documents containing live code, equations, visualizations, and narrative text. A cross-site scripting vulnerability exists in Jupyter Notebook versions prior to 5.7.1, which stems from a failure to set the content security...
UBUNTU-CVE-2018-19351
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py,...