{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T07:08:15.977","vulnerabilities":[{"cve":{"id":"CVE-2025-23205","sourceIdentifier":"security-advisories@github.com","published":"2025-01-17T21:15:11.850","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"nbgrader is a system for assigning and grading notebooks. Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`. #1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice's page is on the same Origin as the formgrader iframe, Javasript on Alice's page has _full access_ to the contents of the page served by formgrader using Bob's credentials. This issue has been addressed in release 0.9.5 and all users are advised to upgrade. Users unable to upgrade may disable `frame-ancestors: self`, or enable per-user and per-service subdomains with `JupyterHub.enable_subdomains = True` (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame)."},{"lang":"es","value":"nbgrader es un sistema para asignar y calificar cuadernos. Habilitar framework-ancestors: 'self' otorga a cualquier usuario de JupyterHub la capacidad de extraer contenido de formgrader enviando enlaces maliciosos a usuarios con acceso a formgrader, al menos cuando se usa la configuración predeterminada de JupyterHub de `enable_subdomains = False`. #1915 deshabilita una protección que permitiría al usuario Alice manipular una página que incorpore formgrader en un IFrame. Si Bob visita esa página, se enviarán sus credenciales y se cargará la página formgrader. Debido a que la página de Alice está en el mismo origen que el iframe formgrader, Javasript en la página de Alice tiene _acceso completo_ al contenido de la página servida por formgrader usando las credenciales de Bob. Este problema se ha solucionado en la versión 0.9.5 y se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar pueden deshabilitar frame-ancestors: self o habilitar subdominios por usuario y por servicio con JupyterHub.enable_subdomains = True (luego, incluso si se permite la incrustación en un IFrame, la página del host no tiene acceso al contenido del frame)."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-668"}]}],"references":[{"url":"https://github.com/jupyter/nbgrader/commit/73e137511ac1dc02e95790d4fd6d4d88dab42325","source":"security-advisories@github.com"},{"url":"https://github.com/jupyter/nbgrader/pull/1915","source":"security-advisories@github.com"},{"url":"https://github.com/jupyter/nbgrader/security/advisories/GHSA-fcr8-4r9f-r66m","source":"security-advisories@github.com"},{"url":"https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors","source":"security-advisories@github.com"}]}}]}