CVE-2021-41134

Name of the Vulnerable Software and Affected Versions nbdime versions prior to 1.1.1 nbdime versions prior to 2.1.1 nbdime versions prior to 3.1.1 nbdime versions prior to 5.0.2 nbdime versions prior to 6.1.2 nbdime-jupyterlab versions prior to 1.0.1 nbdime-jupyterlab versions prior to 2.1.1

Description A stored cross-site scripting (XSS) issue exists within the nbdime project. The issue arises from improper handling of user-controlled input, specifically when reading file names and paths from disk. The diffNotebookCheckpoint function within nbdime causes this issue. When attempting to display the name of the local notebook, nbdime appends .ipynb to the name of the input file. The NbdimeWidget is then created, and the base string is passed through to the request API function, allowing the frontend to render HTML tags and potentially malicious content.

Recommendations For nbdime versions prior to 1.1.1, update to version 1.1.1 or later. For nbdime versions prior to 2.1.1, update to version 2.1.1 or later. For nbdime versions prior to 3.1.1, update to version 3.1.1 or later. For nbdime versions prior to 5.0.2, update to version 5.0.2 or later. For nbdime versions prior to 6.1.2, update to version 6.1.2 or later. For nbdime-jupyterlab versions prior to 1.0.1, update to version 1.0.1 or later. For nbdime-jupyterlab versions prior to 2.1.1, update to version 2.1.1 or later.