-
-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nexus IQ vurnability flag #13210
Comments
@AsymptoticBrain Thanks for the issue. First thing first, please and I am begging you, don't report security vulnerabilities publicly. Like EVER Regarding the mathjax, this relates to which sphinx version you want to use to build your documentation. |
Scipy HTML docs bundle mathjax (for offline use). The version used is here: https://github.com/scipy/scipy-mathjax --- it's mathjax 2.7.1 and maybe could be upgraded. However, I don't think it's vulnerable to XSS here, because the Scipy doc pages contain solely static content and there is no user-provided untrusted content. |
When scanning my dependencies Nexus IQ flags scipy for CVE-2018-1999024, a vurnability related to mathjax versions prior to 2.7.4. I can't seem to find any information what version scipy is running at all or if it's flagging in error.
MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later.
The text was updated successfully, but these errors were encountered: