Th0H0

**Name of the Vulnerable Software and Affected Versions** JupyterHub versions prior to 4.1.0 **Description** The issue allows an attacker to achieve an XSS directly affecting a user's session by tricking them into visiting a malicious subdomain. This could lead to full access to the JupyterHub API and the user's single-user server. The affected configurations include single-origin JupyterHub deployments and deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. An attacker could create and exfiltrate an API token, exfiltrate files hosted on the user's single-user server, or install malicious extensions. **Recommendations** For versions prior to 4.1.0, upgrade to JupyterHub 4.1.0, enable per-user domains via `c.JupyterHub.subdomain host`, and set `c.JupyterHub.cookie host prefix enabled` to True to enable domain-locked cookies. Alternatively, deploy JupyterHub on its own domain and enable per-user domains via `c.JupyterHub.subdomain host`.