—

PYSEC-2018-57

Details

In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / notebook

Introduced in: 0 Fixed in: 5.4.1

Fix pip install --upgrade 'notebook>=5.4.1'

References

http://openwall.com/lists/oss-security/2018/03/15/2 [WEB]
https://lists.debian.org/debian-lts-announce/2020/11/msg00033.html [WEB]
https://github.com/advisories/GHSA-6cwv-x26c-w2q4 [ADVISORY]