GHSA-vmhf-c436-hxj4: JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol
A malicious PyPI package can place a javascript: URL in its [project.urls] metadata. JupyterLab’s Extension Manager renders this as the extension’s home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origin.
References
- github.com/advisories/GHSA-vmhf-c436-hxj4
- github.com/jupyterlab/jupyterlab/commit/4e61e07d0a91145b53fbf96ac74b0387f6bc51f6
- github.com/jupyterlab/jupyterlab/commit/d5d961f6e10a6442dddbf94d9a976b3897055a12
- github.com/jupyterlab/jupyterlab/releases/tag/v4.5.9
- github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vmhf-c436-hxj4
Code Behaviors & Features
Detect and mitigate GHSA-vmhf-c436-hxj4 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →