{"id":"PYSEC-2018-18","details":"Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.","aliases":["CVE-2018-19352","GHSA-3p4q-x8f3-p7vq"],"modified":"2023-11-08T04:00:07.695509Z","published":"2018-11-18T17:29:00Z","references":[{"type":"PACKAGE","url":"https://pypi.org/project/notebook/#history"},{"type":"FIX","url":"https://github.com/jupyter/notebook/commit/288b73e1edbf527740e273fcc69b889460871648"},{"type":"WEB","url":"https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-3p4q-x8f3-p7vq"}],"affected":[{"package":{"name":"notebook","ecosystem":"PyPI","purl":"pkg:pypi/notebook"},"ranges":[{"type":"GIT","repo":"https://github.com/jupyter/notebook","events":[{"introduced":"0"},{"fixed":"288b73e1edbf527740e273fcc69b889460871648"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.7.2"}]}],"versions":["0.0.0","4.0.0","4.0.1","4.0.2","4.0.4","4.0.5","4.0.6","4.1.0","4.2.0","4.2.0b1","4.2.1","4.2.2","4.2.3","4.3.0","4.3.1","4.3.2","4.4.0","4.4.1","5.0.0","5.0.0b1","5.0.0b2","5.0.0rc1","5.0.0rc2","5.1.0","5.1.0rc1","5.1.0rc2","5.1.0rc3","5.2.0","5.2.0rc1","5.2.1","5.2.1rc1","5.2.2","5.3.0","5.3.0rc1","5.3.1","5.4.0","5.4.1","5.5.0","5.5.0rc1","5.6.0","5.6.0rc1","5.7.0","5.7.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/notebook/PYSEC-2018-18.yaml"}}],"schema_version":"1.7.3"}