—

PYSEC-2019-157

Details

Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / notebook

Introduced in: 0 Fixed in: 5.5.0

Fix pip install --upgrade 'notebook>=5.5.0'

References

https://github.com/jupyter/notebook/releases/tag/5.5.0 [WEB]
https://github.com/jupyter/notebook/pull/3341 [WEB]
https://lists.debian.org/debian-lts-announce/2020/11/msg00033.html [WEB]
https://github.com/advisories/GHSA-jqwc-jm56-wcwj [ADVISORY]