CVE-2018-19351

Name of the Vulnerable Software and Affected Versions Jupyter Notebook versions prior to 5.7.1

Description The issue allows for cross-site scripting (XSS) attacks via an untrusted notebook. This is because nbconvert responses are considered to have the same origin as the notebook server, enabling nbconvert endpoints to execute JavaScript with access to the server API. Specifically, in the notebook/nbconvert/handlers.py file, the NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy, which would prevent this issue.

Recommendations For versions prior to 5.7.1, update to version 5.7.1 or later to resolve the issue. As a temporary workaround, consider setting a Content Security Policy to restrict JavaScript execution from untrusted sources. Restrict access to nbconvert endpoints to minimize the risk of exploitation.