CVE-2021-32797 HIGH

CVE-2021-32797: JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>

Vendor Jupyterlab
Product jupyterlab
Weakness CWE-79 · XSS
Published August 9, 2021
Last update August 3, 2024
View on NVD All CVEs

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

JupyterLab is a user interface for Project Jupyter which will eventually replace the classic Jupyter Notebook. In affected versions untrusted notebook can execute code on load. In particular JupyterLab doesn’t sanitize the action attribute of html `<form>`. Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook.

Key dates

02Disclosure timeline

August 9, 2021 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-52854 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2023-29207 Improper Neutralization of Script-Related HTML Tags (XSS) in the LiveTable Macro CVE-2024-8541 Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons <= 2.6.5 - Reflected Cross-Site Scripting CVE-2023-43716 Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS) CVE-2023-3477 RocketSoft Rocket LMS Contact Form store cross site scripting