Lack of Content Security Policy (CSP) Header in Jupyter Notebook before 5.5.0 Allows XSS Payload in SVG Documents

Lack of Content Security Policy (CSP) Header in Jupyter Notebook before 5.5.0 Allows XSS Payload in SVG Documents

CVE-2018-21030 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document.

Learn more about our Web Application Penetration Testing UK.