Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
5.7.11, 6.4.1
OWASP Page on Injection Prevention
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.
Credit: Guillaume Jeanne from Google
A notebook with the following content in a cell and it would display an alert when opened for the first time in Notebook (in an untrusted state):
{ "cell_type": "code", "execution_count": 0, "metadata": {}, "outputs": [ { "data": { "text/html": [ "<select><iframe></select><img src=x: onerror=alert('xss')>\n"], "text/plain": [] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "" ] }
{ "nvd_published_at": "2021-08-09T21:15:00Z", "cwe_ids": [ "CWE-75", "CWE-79", "CWE-80" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-08-23T16:44:43Z" }