Vidartf

**Name of the Vulnerable Software and Affected Versions** nbdime versions prior to 1.1.1 nbdime versions prior to 2.1.1 nbdime versions prior to 3.1.1 nbdime versions prior to 5.0.2 nbdime versions prior to 6.1.2 nbdime-jupyterlab versions prior to 1.0.1 nbdime-jupyterlab versions prior to 2.1.1 **Description** A stored cross-site scripting (XSS) issue exists within the nbdime project. The issue arises from improper handling of user-controlled input, specifically when reading file names and paths from disk. The `diffNotebookCheckpoint` function within nbdime causes this issue. When attempting to display the name of the local notebook, nbdime appends `.ipynb` to the name of the input file. The `NbdimeWidget` is then created, and the base string is passed through to the request API function, allowing the frontend to render HTML tags and potentially malicious content. **Recommendations** For nbdime versions prior to 1.1.1, update to version 1.1.1 or later. For nbdime versions prior to 2.1.1, update to version 2.1.1 or later. For nbdime versions prior to 3.1.1, update to version 3.1.1 or later. For nbdime versions prior to 5.0.2, update to version 5.0.2 or later. For nbdime versions prior to 6.1.2, update to version 6.1.2 or later. For nbdime-jupyterlab versions prior to 1.0.1, update to version 1.0.1 or later. For nbdime-jupyterlab versions prior to 2.1.1, update to version 2.1.1 or later.