Hi, Sorry I misstyped the CVE for the report:
Here the correct information: CVE-2018-19351[0]: | Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook | because nbconvert responses are considered to have the same origin as | the notebook server. In other words, nbconvert endpoints can execute | JavaScript with access to the server API. In | notebook/nbconvert/handlers.py, NbconvertFileHandler and | NbconvertPostHandler do not set a Content Security Policy to prevent | this. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19351 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19351 [1] https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491 Regards, Salvatore _______________________________________________ Python-modules-team mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
