CVE-2024-28233 HIGH

CVE-2024-28233: XSS in JupyterHub via Self-XSS leveraged by Cookie Tossing

Vendor Jupyterhub
Product jupyterhub
Weakness CWE-79 · XSS
Published March 27, 2024
Last update August 15, 2024
View on NVD All CVEs

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

JupyterHub is an open source multi-user server for Jupyter notebooks. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve full access to JupyterHub API and user's single-user server. The affected configurations are single-origin JupyterHub deployments and JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. This vulnerability is fixed in 4.1.0.

Key dates

02Disclosure timeline

March 27, 2024 CVE published
August 15, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-2179 Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type CVE-2025-46947 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2026-3604 WP SEO Structured Data Schema <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_kcseo_ative_tab' Parameter CVE-2023-50828 WordPress Ultimate Dashboard Plugin <= 3.7.11 is vulnerable to Cross Site Scripting (XSS) CVE-2024-22230