CVE-2018-19351
MEDIUMJupyter Notebook < 5.7.1 - Cross-Site Scripting via Nbconvert Endpoint
Title source: llmDescription
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.
References (5)
Core 5
Core References
Mailing List x_refsource_misc
https://groups.google.com/forum/#%21topic/jupyter/hWzu2BSsplY
Third Party Advisory x_refsource_misc
https://pypi.org/project/notebook/#history
Release Notes x_refsource_misc
https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst
Patch, Third Party Advisory x_refsource_misc
https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/11/msg00033.html
Scores
CVSS v3
6.1
EPSS
0.0151
EPSS Percentile
71.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
jupyter/notebook
< 5.7.1
pypi/notebook
0 - 5.7.1PyPI
Published
Nov 18, 2018
Tracked Since
Feb 18, 2026