GHSA-4vwq-x64q-j4cj

Suggest an improvement
Source
https://github.com/advisories/GHSA-4vwq-x64q-j4cj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4vwq-x64q-j4cj/GHSA-4vwq-x64q-j4cj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4vwq-x64q-j4cj
Aliases
Published
2022-05-14T02:04:49Z
Modified
2024-09-23T17:27:49.131389Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Improper Neutralization of Input During Web Page Generation in Jupyter Notebook
Details

Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.

Database specific
{
    "nvd_published_at": "2015-09-21T19:59:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T20:10:16Z"
}
References

Affected packages

PyPI / notebook

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.0.5

Affected versions

4.*

4.0.0
4.0.1
4.0.2
4.0.4

Database specific

{
    "last_known_affected_version_range": "<= 4.0.4"
}

PyPI / ipython

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.2

Affected versions

0.*

0.7.1.fix1
0.7.4.svn.r2010
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.15
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9
0.9.1
0.10
0.10.1
0.10.2
0.11
0.12
0.12.1
0.13
0.13.1
0.13.2

1.*

1.0.0
1.1.0
1.2.0
1.2.1

2.*

2.0.0
2.1.0
2.2.0
2.3.0
2.3.1
2.4.0
2.4.1

3.*

3.0.0
3.1.0
3.2.0
3.2.1

Database specific

{
    "last_known_affected_version_range": "<= 3.2.1"
}