CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-26215 – Open redirect in Jupyter Notebook
https://notcve.org/view.php?id=CVE-2020-26215
Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. The issue is patched in version 6.1.5. • https://github.com/jupyter/notebook/commit/3cec4bbe21756de9f0c4bccf18cf61d840314d74 https://github.com/jupyter/notebook/security/advisories/GHSA-c7vm-f5p4-8fqh https://lists.debian.org/debian-lts-announce/2020/12/msg00004.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21030
https://notcve.org/view.php?id=CVE-2018-21030
Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document. Jupyter Notebook versiones anteriores a 5.5.0, no utiliza un encabezado CSP para tratar los archivos servidos como pertenecientes a un origen separado. Así, por ejemplo, se puede colocar una carga XSS en un documento SVG. • https://github.com/jupyter/notebook/pull/3341 https://github.com/jupyter/notebook/releases/tag/5.5.0 https://lists.debian.org/debian-lts-announce/2020/11/msg00033.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10856
https://notcve.org/view.php?id=CVE-2019-10856
In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. This issue exists because of an incomplete fix for CVE-2019-10255. En Jupyter Notebook, en versiones anteriores a la 5.7.8, puede ocurrir una redirección abierta mediante un netloc vacío. Este problema existe debido a una solución incompleta para CVE-2019-10255. • https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4 https://github.com/jupyter/notebook/compare/16cf97c...b8e30ea • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10255
https://notcve.org/view.php?id=CVE-2019-10255
An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected. Una vulnerabilidad de redirección abierta para todos los navegadores en Jupyter Notebook, en versiones anteriores a la 5.7.7, y en algunos navegadores (Chrome, Firefox) en JupyterHub, en versiones anteriores a la 0.9.5, permite que los enlaces manipulados accedan a la página de inicio de sesión, lo que redirigirá a un sitio malicioso después de un inicio de sesión exitoso. No se ven afectados los servidores que ejecutan un prefijo "base_url". • https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4 https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f975cb https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b913b https://github.com/jupyter/notebook/commit/d65328d4841892b412aef9015165db1eb029a8ed https://github.com/jupyter/notebook/compare/05aa4b2...16cf97c https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D https://lists.fedoraproject.org/archive • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9644
https://notcve.org/view.php?id=CVE-2019-9644
An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer's error messages can include the content of any invalid JavaScript that was encountered. Una vulnerabilidad de Cross-Site Inclusion (XSSI) en Jupyter Notebook, en versiones anteriores a la 5.7.6, permite la inclusión de recursos en páginas maliciosas cuando recibe visitas de usuarios autenticados con un servidor Jupyter. Se ha demostrado el acceso al contenido de los recursos con Internet Explorer mediante la captura de avisos de error, aunque no se ha reproducido en otros navegadores. • https://github.com/jupyter/notebook/compare/f3f00df...05aa4b2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •