UBUNTU-CVE-2018-19351
Advisory lineage Upstream: 1 Downstream: 1
Upstream
Downstream
Published: 18 Nov 2018, 17:29
Last modified:04 Feb 2026, 02:13
Vulnerability Summary
Overall Risk (default)
low
24/100 CVSS Score
6.1 MEDIUM
3.0 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
18 Nov 2018, 17:29
Published
Vulnerability first disclosed
04 Feb 2026, 02:13
Last Modified
Vulnerability information updated
Description
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.
CVSS Metrics
- v3.0•MEDIUM•Score: 6.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Systems
- ubuntu•jupyter-notebook
< 5.2.2-1ubuntu0.1
References (7)
- https://ubuntu.com/security/CVE-2018-19351
- https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491
- https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst
- https://groups.google.com/forum/#!topic/jupyter/hWzu2BSsplY
- https://pypi.org/project/notebook/#history
- https://ubuntu.com/security/notices/USN-5585-1
- https://www.cve.org/CVERecord?id=CVE-2018-19351