Cross-site Request Forgery (CSRF) Affecting notebook package, versions [,4.3.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-NOTEBOOK-2438395
- published 1 Apr 2022
- disclosed 1 Apr 2022
- credit Unknown
How to fix?
Upgrade notebook
to version 4.3.1 or higher.
Overview
notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). HTML forms in Firefox do not send an Origin header, therefore it's possible to submit a POST request with an empty body to trigger certain actions, such as starting a kernel, avoiding the existing origin checks.
References
CVSS Scores
version 3.1