{"id":"PYSEC-2021-130","details":"JupyterLab is a user interface for Project Jupyter which will eventually replace the classic Jupyter Notebook. In affected versions untrusted notebook can execute code on load. In particular JupyterLab doesn’t sanitize the action attribute of html `\u003cform\u003e`. Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook.","aliases":["BIT-jupyterlab-2021-32797","CVE-2021-32797","GHSA-4952-p58q-6crx"],"modified":"2023-12-06T01:01:15.795888Z","published":"2021-08-09T21:15:00Z","references":[{"type":"FIX","url":"https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed"},{"type":"ADVISORY","url":"https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx"}],"affected":[{"package":{"name":"jupyterlab","ecosystem":"PyPI","purl":"pkg:pypi/jupyterlab"},"ranges":[{"type":"GIT","repo":"https://github.com/jupyterlab/jupyterlab","events":[{"introduced":"0"},{"fixed":"504825938c0abfa2fb8ff8d529308830a5ae42ed"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.21"},{"introduced":"2"},{"fixed":"2.2.10"},{"introduced":"2.3"},{"fixed":"2.3.2"},{"introduced":"3"},{"fixed":"3.0.17"},{"introduced":"3.1"},{"fixed":"3.1.4"}]}],"versions":["0.0.1","0.0.10","0.0.13","0.0.2","0.0.3","0.0.4","0.0.5","0.0.6","0.0.7","0.0.8","0.0.9","0.1.1","0.1.2","0.10.0","0.11.0","0.11.1","0.11.2","0.11.3","0.12.0","0.12.1","0.13.0","0.13.1","0.13.2","0.14.0","0.15.0","0.15.1","0.16.0","0.16.2","0.17.0","0.17.1","0.17.2","0.17.4","0.17.5","0.18.0","0.18.0.dev1","0.18.1","0.19.0","0.2.0","0.20.0","0.20.0rc1","0.20.1","0.20.2","0.20.3","0.20.4","0.21.0","0.21.0rc1","0.21.0rc2","0.21.0rc3","0.21.0rc4","0.21.0rc5","0.22.0","0.22.0rc0","0.22.1","0.23.0","0.23.0rc0","0.23.0rc1","0.23.1","0.23.2","0.24.0","0.24.0rc0","0.24.0rc1","0.24.0rc2","0.24.1","0.25.0","0.25.0rc0","0.25.0rc1","0.25.1","0.25.2","0.25.2rc0","0.26.0","0.26.0rc0","0.26.0rc1","0.26.1","0.26.2","0.26.3","0.26.4","0.26.5","0.27.0","0.27.0rc0","0.27.0rc1","0.27.0rc2","0.27.0rc3","0.27.0rc4","0.27.0rc5","0.27.1","0.27.2","0.28.0","0.28.0rc0","0.28.0rc1","0.28.0rc2","0.28.0rc3","0.28.1","0.28.10","0.28.11","0.28.12","0.28.13","0.28.14","0.28.15","0.28.2","0.28.3","0.28.4","0.28.5","0.28.6","0.28.7","0.28.8","0.29.0","0.29.0rc0","0.29.1","0.29.2","0.3.0","0.30.0","0.30.0rc0","0.30.0rc1","0.30.1","0.30.2","0.30.3","0.30.4","0.30.5","0.30.6","0.31.0","0.31.0rc0","0.31.0rc1","0.31.0rc2","0.31.1","0.31.10","0.31.11","0.31.12","0.31.2","0.31.3","0.31.4","0.31.5","0.31.6","0.31.7","0.31.8","0.31.9","0.32.0","0.32.0rc0","0.32.0rc1","0.32.1","0.33.0","0.33.0rc0","0.33.0rc1","0.33.1","0.33.10","0.33.11","0.33.12","0.33.2","0.33.3","0.33.4","0.33.5","0.33.6","0.33.7","0.33.8","0.33.9","0.34.0","0.34.0rc0","0.34.0rc1","0.34.0rc2","0.34.1","0.34.10","0.34.11","0.34.12","0.34.2","0.34.3","0.34.4","0.34.5","0.34.6","0.34.7","0.34.8","0.34.9","0.35.0","0.35.0rc0","0.35.0rc1","0.35.0rc2","0.35.1","0.35.2","0.35.3","0.35.4","0.35.5","0.35.6","0.4.0","0.4.1","0.5.0","0.6.0","0.7.0","0.8.0","0.9.0","0.9.1","1.0.0","1.0.0a0","1.0.0a1","1.0.0a10","1.0.0a2","1.0.0a3","1.0.0a4","1.0.0a5","1.0.0a6","1.0.0a7","1.0.0a8","1.0.0a9","1.0.0rc0","1.0.0rc1","1.0.1","1.0.10","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.9","1.1.0","1.1.0a0","1.1.0a1","1.1.0a2","1.1.0rc0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.2.0","1.2.0a0","1.2.0a1","1.2.0a2","1.2.0a3","1.2.0rc0","1.2.1","1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.17","1.2.18","1.2.19","1.2.2","1.2.20","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","2.0.0","2.0.1","2.0.1rc0","2.0.2","2.1.0","2.1.0a0","2.1.0b0","2.1.0rc0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.2.0","2.2.0a0","2.2.0a1","2.2.0rc1","2.2.1","2.2.2","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9","2.3.0","2.3.1","3.0.0","3.0.1","3.0.10","3.0.11","3.0.12","3.0.13","3.0.14","3.0.15","3.0.16","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.1.0","3.1.1","3.1.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/jupyterlab/PYSEC-2021-130.yaml"}}],"schema_version":"1.7.3"}