CVE-2024-43805 – HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering

https://notcve.org/view.php?id=CVE-2024-43805

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. This vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 have been patched to resolve this issue. Users are advised to upgrade. • https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •