Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ5NTItcDU4cS02Y3J4

Moderate CVSS: 6.3 EPSS: 0.01136% (0.77755 Percentile) EPSS:
Permalink JSON

JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>

Affected Packages Affected Versions Fixed Versions
pypi:jupyterlab
PURL: pkg:pypi/jupyterlab
>= 3.1.0a0, < 3.1.4, >= 3.0.0a0, < 3.0.17, >= 2.3.0a0, < 2.3.2, >= 2.0.0a0, < 2.2.10, < 1.2.21 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21
970 Dependent packages
24,518 Dependent repositories
40,194,684 Downloads last month

Affected Version Ranges

All affected versions

0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.13, 0.1.1, 0.1.2, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.15.0, 0.15.1, 0.16.0, 0.16.2, 0.17.0, 0.17.1, 0.17.2, 0.17.4, 0.17.5, 0.18.0, 0.18.1, 0.19.0, 0.20.0, 0.20.0rc1, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.21.0, 0.21.0rc1, 0.21.0rc2, 0.21.0rc3, 0.21.0rc4, 0.21.0rc5, 0.22.0, 0.22.0rc0, 0.22.1, 0.23.0, 0.23.0rc0, 0.23.0rc1, 0.23.1, 0.23.2, 0.24.0, 0.24.0rc0, 0.24.0rc1, 0.24.0rc2, 0.24.1, 0.25.0, 0.25.0rc0, 0.25.0rc1, 0.25.1, 0.25.2, 0.25.2rc0, 0.26.0, 0.26.0rc0, 0.26.0rc1, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.26.5, 0.27.0, 0.27.0rc0, 0.27.0rc1, 0.27.0rc2, 0.27.0rc3, 0.27.0rc4, 0.27.0rc5, 0.27.1, 0.27.2, 0.28.0, 0.28.0rc0, 0.28.0rc1, 0.28.0rc2, 0.28.0rc3, 0.28.1, 0.28.2, 0.28.3, 0.28.4, 0.28.5, 0.28.6, 0.28.7, 0.28.8, 0.28.10, 0.28.11, 0.28.12, 0.28.13, 0.28.14, 0.28.15, 0.29.0, 0.29.0rc0, 0.29.1, 0.29.2, 0.30.0, 0.30.0rc0, 0.30.0rc1, 0.30.1, 0.30.2, 0.30.3, 0.30.4, 0.30.5, 0.30.6, 0.31.0, 0.31.0rc0, 0.31.0rc1, 0.31.0rc2, 0.31.1, 0.31.2, 0.31.3, 0.31.4, 0.31.5, 0.31.6, 0.31.7, 0.31.8, 0.31.9, 0.31.10, 0.31.11, 0.31.12, 0.32.0, 0.32.0rc0, 0.32.0rc1, 0.32.1, 0.33.0, 0.33.0rc0, 0.33.0rc1, 0.33.1, 0.33.2, 0.33.3, 0.33.4, 0.33.5, 0.33.6, 0.33.7, 0.33.8, 0.33.9, 0.33.10, 0.33.11, 0.33.12, 0.34.0, 0.34.0rc0, 0.34.0rc1, 0.34.0rc2, 0.34.1, 0.34.2, 0.34.3, 0.34.4, 0.34.5, 0.34.6, 0.34.7, 0.34.8, 0.34.9, 0.34.10, 0.34.11, 0.34.12, 0.35.0, 0.35.0rc0, 0.35.0rc1, 0.35.0rc2, 0.35.1, 0.35.2, 0.35.3, 0.35.4, 0.35.5, 0.35.6, 1.0.0, 1.0.0a0, 1.0.0a1, 1.0.0a2, 1.0.0a3, 1.0.0a4, 1.0.0a5, 1.0.0a6, 1.0.0a7, 1.0.0a8, 1.0.0a9, 1.0.0a10, 1.0.0rc0, 1.0.0rc1, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.9, 1.0.10, 1.1.0, 1.1.0a0, 1.1.0a1, 1.1.0a2, 1.1.0rc0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.2.0a0, 1.2.0a1, 1.2.0a2, 1.2.0a3, 1.2.0rc0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.2.18, 1.2.19, 1.2.20, 2.0.0, 2.0.0a0, 2.0.0a1, 2.0.0a3, 2.0.0a4, 2.0.0b1, 2.0.0b2, 2.0.0b3, 2.0.0rc0, 2.0.0rc1, 2.0.0rc2, 2.0.1, 2.0.1rc0, 2.0.2, 2.1.0, 2.1.0a0, 2.1.0b0, 2.1.0rc0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.2.0a0, 2.2.0a1, 2.2.0rc1, 2.2.1, 2.2.2, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.0a0, 2.3.0a1, 2.3.0a2, 2.3.0rc0, 2.3.1, 3.0.0, 3.0.0a0, 3.0.0a3, 3.0.0a4, 3.0.0a5, 3.0.0a6, 3.0.0a7, 3.0.0a8, 3.0.0a9, 3.0.0a10, 3.0.0a11, 3.0.0a12, 3.0.0a13, 3.0.0a14, 3.0.0b1, 3.0.0b2, 3.0.0b3, 3.0.0b4, 3.0.0b6, 3.0.0b7, 3.0.0b8, 3.0.0rc0, 3.0.0rc1, 3.0.0rc2, 3.0.0rc3, 3.0.0rc4, 3.0.0rc5, 3.0.0rc6, 3.0.0rc7, 3.0.0rc8, 3.0.0rc9, 3.0.0rc10, 3.0.0rc11, 3.0.0rc12, 3.0.0rc13, 3.0.0rc14, 3.0.0rc15, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.1.0, 3.1.0a0, 3.1.0a1, 3.1.0a2, 3.1.0a3, 3.1.0a4, 3.1.0a5, 3.1.0a6, 3.1.0a7, 3.1.0a8, 3.1.0a9, 3.1.0a10, 3.1.0a11, 3.1.0a12, 3.1.0a13, 3.1.0b0, 3.1.0b1, 3.1.0rc1, 3.1.0rc2, 3.1.1, 3.1.2

All unaffected versions

1.2.21, 2.2.10, 2.3.2, 3.0.17, 3.0.18, 3.1.4, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.2.0, 3.2.0a0, 3.2.0a1, 3.2.0b0, 3.2.0rc0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.3.0, 3.3.0a1, 3.3.0a2, 3.3.0a3, 3.3.0b0, 3.3.0rc0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.0a0, 3.4.0b0, 3.4.0rc0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.0, 3.5.0a0, 3.5.0b0, 3.5.0rc0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.0a0, 3.6.0a1, 3.6.0a2, 3.6.0a3, 3.6.0a4, 3.6.0a5, 3.6.0b0, 3.6.0rc0, 3.6.0rc1, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 4.0.0, 4.0.0a0, 4.0.0a1, 4.0.0a3, 4.0.0a4, 4.0.0a6, 4.0.0a7, 4.0.0a8, 4.0.0a9, 4.0.0a10, 4.0.0a11, 4.0.0a12, 4.0.0a13, 4.0.0a14, 4.0.0a15, 4.0.0a16, 4.0.0a17, 4.0.0a18, 4.0.0a19, 4.0.0a20, 4.0.0a21, 4.0.0a22, 4.0.0a23, 4.0.0a24, 4.0.0a25, 4.0.0a26, 4.0.0a27, 4.0.0a28, 4.0.0a29, 4.0.0a30, 4.0.0a31, 4.0.0a32, 4.0.0a33, 4.0.0a34, 4.0.0a35, 4.0.0a36, 4.0.0a37, 4.0.0b0, 4.0.0b1, 4.0.0b2, 4.0.0rc0, 4.0.0rc1, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.1.0, 4.1.0a1, 4.1.0a2, 4.1.0a3, 4.1.0a4, 4.1.0b0, 4.1.0b1, 4.1.0b2, 4.1.0rc0, 4.1.0rc1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.2.0, 4.2.0a0, 4.2.0a1, 4.2.0a2, 4.2.0b0, 4.2.0b1, 4.2.0b2, 4.2.0b3, 4.2.0rc0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.3.0, 4.3.0a0, 4.3.0a1, 4.3.0a2, 4.3.0b0, 4.3.0b1, 4.3.0b2, 4.3.0b3, 4.3.0rc0, 4.3.0rc1, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.4.0, 4.4.0a0, 4.4.0a1, 4.4.0a2, 4.4.0a3, 4.4.0b0, 4.4.0b1, 4.4.0b2, 4.4.0rc0, 4.4.0rc1, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.5.0a0, 4.5.0a1, 4.5.0a2, 4.5.0a3, 4.5.0a4, 4.5.0b0, 4.5.0b1
pypi:notebook
PURL: pkg:pypi/notebook
>= 6.0.0, < 6.4.1, < 5.7.11 6.4.1, 5.7.11
705 Dependent packages
60,132 Dependent repositories
56,964,763 Downloads last month

Affected Version Ranges

All affected versions

0.0.0, 4.0.0, 4.0.1, 4.0.2, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.2.0, 4.2.0b1, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 5.0.0, 5.0.0b1, 5.0.0b2, 5.0.0rc1, 5.0.0rc2, 5.1.0, 5.1.0rc1, 5.1.0rc2, 5.1.0rc3, 5.2.0, 5.2.0rc1, 5.2.1, 5.2.1rc1, 5.2.2, 5.3.0, 5.3.0rc1, 5.3.1, 5.4.0, 5.4.1, 5.5.0, 5.5.0rc1, 5.6.0, 5.6.0rc1, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.8, 5.7.9, 5.7.10, 6.0.0, 6.0.0rc1, 6.0.1, 6.0.2, 6.0.3, 6.1.0, 6.1.0rc1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.3.0, 6.4.0, 6.4.0a0, 6.4.0a1, 6.4.0rc0

All unaffected versions

5.7.11, 5.7.12, 5.7.13, 5.7.14, 5.7.14a0, 5.7.15, 5.7.16, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.4.12, 6.4.13, 6.5.0, 6.5.0a0, 6.5.0b0, 6.5.0rc0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 7.0.0, 7.0.0a1, 7.0.0a2, 7.0.0a3, 7.0.0a4, 7.0.0a5, 7.0.0a6, 7.0.0a7, 7.0.0a8, 7.0.0a9, 7.0.0a10, 7.0.0a11, 7.0.0a12, 7.0.0a13, 7.0.0a14, 7.0.0a15, 7.0.0a16, 7.0.0a17, 7.0.0a18, 7.0.0b0, 7.0.0b1, 7.0.0b2, 7.0.0b3, 7.0.0b4, 7.0.0rc0, 7.0.0rc1, 7.0.0rc2, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.0a0, 7.1.0a1, 7.1.0a2, 7.1.0b0, 7.1.0rc0, 7.1.0rc1, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.0a0, 7.2.0b0, 7.2.0b1, 7.2.0rc0, 7.2.0rc1, 7.2.1, 7.2.2, 7.2.3, 7.3.0, 7.3.0a0, 7.3.0a1, 7.3.0b0, 7.3.0b1, 7.3.0b2, 7.3.0rc0, 7.3.1, 7.3.2, 7.3.3, 7.4.0, 7.4.0a0, 7.4.0a1, 7.4.0a2, 7.4.0a3, 7.4.0b0, 7.4.0b1, 7.4.0b2, 7.4.0b3, 7.4.0rc0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6, 7.4.7, 7.5.0a0, 7.5.0a1, 7.5.0a2, 7.5.0a3, 7.5.0b0, 7.5.0b1

Impact

Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.

Patches

Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.

References

OWASP Page on Restricting Form Submissions

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: Guillaume Jeanne from Google

References:

Identifiers

GHSA-4952-p58q-6crx

CVE-2021-32797

Risk

Severity

Moderate

CVSS

CVSS Score: 6.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS

EPSS Percentage: 0.01136

EPSS Percentile: 0.77755

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jupyterlab/jupyterlab

Date and time

Published

about 4 years ago

Updated

12 months ago

API

JSON