CVE-2021-32862 — Cross-site Scripting in Nbconvert

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.8%

top 26.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jupyter Nbconvert Debian Nbconvert Debian Linux

Timeline

PublishedAug 18

Description

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶debiandebian/nbconvert< nbconvert 6.5.1-1 (bookworm)

▶PyPIjupyter/nbconvert< 6.5.1

▶Debianjupyter/nbconvert< 5.6.1-3+deb11u1+3

▶NVDjupyter/nbconvert6.2.0

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

CVE-2021-32862: The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert↗2022-08-18

▶

OSV

nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths↗2022-08-10

▶

GHSA

nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths↗2022-08-10

▶

📋Vendor Advisories

Debian

CVE-2021-32862: nbconvert - The GitHub Security Lab discovered sixteen ways to exploit a cross-site scriptin...↗2021

▶