CVE-2021-32862

HIGH

nbconvert < 6.2.0 - Cross-Site Scripting via HTML Notebook Generation

Title source: llm
STIX 2.1

Description

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).

Scores

CVSS v3 7.5
EPSS 0.0110
EPSS Percentile 62.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (3)
debian/debian_linux 10.0
jupyter/nbconvert < 6.2.0
pypi/nbconvert 0 - 6.5.1PyPI
Published Aug 18, 2022
Tracked Since Feb 18, 2026