CVE-2018-19351

MEDIUM

Jupyter Notebook < 5.7.1 - Cross-Site Scripting via Nbconvert Endpoint

Title source: llm
STIX 2.1

Description

Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.

Scores

CVSS v3 6.1
EPSS 0.0151
EPSS Percentile 71.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
jupyter/notebook < 5.7.1
pypi/notebook 0 - 5.7.1PyPI
Published Nov 18, 2018
Tracked Since Feb 18, 2026