CVE-2021-32862

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).

Published: Aug 18, 2022
Updated: Jun 4, 2023
CVE: CVE-2021-32862
GHSA: GHSA-9jmq-rx5f-8jwq
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
jupyter / nbconvert	-	6.2.0.x
nbconvert	-	6.5.1
debian / debian_linux	10.0	10.0.x

https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq
https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm
https://github.com/pypa/advisory-database/tree/main/vulns/nbconvert/PYSEC-2022-249.yaml
https://lists.debian.org/debian-lts-announce/2023/06/msg00003.html
https://lists.debian.org/debian-lts-announce/2024/09/msg00004.html

Vulnerability Database

CVE-2021-32862