Cert-Eu

**Name of the Vulnerable Software and Affected Versions** Open Notebook version 1.8.1 **Description** Improper input validation combined with an overly permissive default Cross-Origin Resource Sharing (CORS) configuration allows a remote attacker to trick a legitimate user into altering or deleting arbitrary database entries using a specially crafted malicious URL. Depending on the deployment, this may also enable data exfiltration. This issue is a Cross-Site Request Forgery (CSRF), which occurs when an attacker induces a victim to perform actions they do not intend to take. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open Notebook version 1.8.3 **Description** Insufficient user input sanitization allows an application user to perform Server-Side Template Injection (SSTI), a flaw where an attacker can inject malicious templates into a server-side engine. This enables the execution of Python code and subsequent operating system commands within the docker container through user-created transformations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open Notebook version 1.8.3 **Description** Insufficient user input validation in the file upload functionality allows an authenticated user to create or modify files within the docker container using path traversal, a technique used to access files and directories that are stored outside the intended folder. **Recommendations** Update Open Notebook to a version later than 1.8.3. As a temporary workaround, restrict access to the file upload functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Open Notebook version 1.8.3 **Description** Insufficient user input validation in the file upload functionality allows an application user to access local file content from the docker container through path traversal, a technique used to access files and directories that are stored outside the web root folder. **Recommendations** Update Open Notebook version 1.8.3 to a version that addresses this issue. As a temporary workaround, restrict access to the file upload functionality to minimize the risk of exploitation.