CVE-2025-23205Resource Exposure in Nbgrader

CWE-668Resource ExposureCWE-1021UI Misrepresentation / Clickjacking4 documents4 sources
Severity
6.9MEDIUMNVD
EPSS
0.3%
top 48.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jupyter Nbgrader
Timeline
PublishedJan 17

Description

nbgrader is a system for assigning and grading notebooks. Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`. #1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page lo

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

PyPIjupyter/nbgrader0.9.40.9.5
CVEListV5jupyter/nbgrader= 0.9.4

🔴Vulnerability Details

3
OSV
nbgrader's `frame-ancestors: self` grants all users access to formgrader2025-01-17
CVEList
`frame-ancestors: self` grants all users access to formgrader in nbgrader2025-01-17
GHSA
nbgrader's `frame-ancestors: self` grants all users access to formgrader2025-01-17
CVE-2025-23205 — Resource Exposure in Jupyter Nbgrader | cvebase