CVE-2025-23205 – `frame-ancestors: self` grants all users access to formgrader in nbgrader

https://notcve.org/view.php?id=CVE-2025-23205

17 Jan 2025 — nbgrader is a system for assigning and grading notebooks. Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`. #1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Becaus... • https://github.com/jupyter/nbgrader/commit/73e137511ac1dc02e95790d4fd6d4d88dab42325 • CWE-668: Exposure of Resource to Wrong Sphere •