Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Notebook
(Jupyter)| Repositories |
• https://github.com/jupyter/notebook
• https://github.com/ipython/ipython |
| #Vulnerabilities | 16 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2018-03-18 | CVE-2018-8768 | In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous. | Notebook | 7.8 | ||
| 2019-10-31 | CVE-2018-21030 | Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document. | Notebook | 5.3 | ||
| 2019-04-04 | CVE-2019-10856 | In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. This issue exists because of an incomplete fix for CVE-2019-10255. | Notebook | 6.1 | ||
| 2018-11-18 | CVE-2018-19352 | Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely. | Notebook | 6.1 | ||
| 2015-09-29 | CVE-2015-7337 | The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types. | Notebook, Notebook | N/A | ||
| 2015-09-21 | CVE-2015-6938 | Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate. | Fedora, Notebook, Notebook, Opensuse | N/A |