Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Stored XSS in Jupyter nbdime
Vulnerability Description
nbdime provides tools for diffing and merging of Jupyter Notebooks. In affected versions a stored cross-site scripting (XSS) issue exists within the Jupyter-owned nbdime project. It appears that when reading the file name and path from disk, the extension does not sanitize the string it constructs before returning it to be displayed. The diffNotebookCheckpoint function within nbdime causes this issue. When attempting to display the name of the local notebook (diffNotebookCheckpoint), nbdime appears to simply append .ipynb to the name of the input file. The NbdimeWidget is then created, and the base string is passed through to the request API function. From there, the frontend simply renders the HTML tag and anything along with it. Users are advised to patch to the most recent version of the affected product.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
nbdime 跨站脚本漏洞
Vulnerability Description
nbdime是开源的用于区分和合并 Jupyter 笔记本的工具。 nbdime 存在跨站脚本漏洞,该漏洞源于当软件从磁盘读取文件名和路径时,扩展名在返回要显示的字符串之前没有对构造的字符串进行有效的过滤与转义。这导致了存储型的跨站脚本漏洞。
CVSS Information
N/A
Vulnerability Type
N/A