Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
DLA-2432-1 | jupyter-notebook security update |
![]() |
EUVD-2018-0104 | Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this. |
![]() |
GHSA-49qr-xh3w-h436 | Jupyter Notebook XSS via untrusted notebooks |
![]() |
USN-5585-1 | Jupyter Notebook vulnerabilities |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
No history.

Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-05T11:37:10.582Z
Reserved: 2018-11-18T00:00:00
Link: CVE-2018-19351

No data.

Status : Modified
Published: 2018-11-18T17:29:00.267
Modified: 2024-11-21T03:57:47.060
Link: CVE-2018-19351

No data.

No data.