CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19351 – Ubuntu Security Notice USN-5585-1
https://notcve.org/view.php?id=CVE-2018-19351
18 Nov 2018 — Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this. Jupyter Notebook en versiones anteriores a la 5.7.1 permite Cross-Site Scripting (XSS) mediante un notebook no fiable debido a qu... • https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19352
https://notcve.org/view.php?id=CVE-2018-19352
18 Nov 2018 — Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely. Jupyter Notebook en versiones anteriores a la 5.7.2 permite Cross-Site Scripting (XSS) mediante un nombre de directorio manipulado debido a que notebook/static/tree/js/notebooklist.js gestiona ciertas URL de forma no segura. • https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8768
https://notcve.org/view.php?id=CVE-2018-8768
18 Mar 2018 — In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous. En Jupyter Notebook, en versiones anteriores a la 5.4.1, un archivo notebook maliciosamente manipulado puede omitir el saneamiento para ejecutar JavaScript en el contexto del notebook. Específicamente, el HTML no válido es "arreglado" por jQuery tras el saneamiento, haciéndolo pelig... • http://openwall.com/lists/oss-security/2018/03/15/2 •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2015-7337 – Gentoo Linux Security Advisory 201512-02
https://notcve.org/view.php?id=CVE-2015-7337
29 Sep 2015 — The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types. Vulnerabilidad en el editor en IPython Notebook en versiones anteriores a 3.2.2 y Jupyter Notebook 4.0.x en versiones anteriores a 4.0.5, permite a atacantes remotos ejecutar código JavaScript arbitrario a través de un archivo manipulado, lo que desencadena una redireción a files/, rela... • http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167670.html • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 1%CPEs: 11EXPL: 2CVE-2015-6938
https://notcve.org/view.php?id=CVE-2015-6938
21 Sep 2015 — Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate. Vulnerabilidad de XSS en el buscador de archivos en notebook/notebookapp.py en IPython Notebook en versiones anteriores a 3.2.2 y Jupyter Notebook 4.0.x... • http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166460.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •