github lfnovo/open-notebook v1.8.3
v1.8.3 - Security Fix
on GitHub

13 hours ago

Security

  • Fix SurrealDB injection via unsanitized order_by query parameter (CVSS 8.7 High)
    • GET /api/notebooks accepted arbitrary input in the order_by parameter, allowing injection of SurrealQL commands. Exploitable via CSRF by tricking a user into clicking a crafted URL.
    • Added allowlist validation for sorting parameters in the notebooks endpoint
    • Replaced f-string query interpolation with parameterized $variable binding in source chat and migration queries
    • Added defensive validation in the get_all() base method to prevent injection via order_by parameter

Affected versions

All versions up to and including v1.8.2.

Recommended action

Upgrade to v1.8.3 immediately.

Credit

Reported by CERT-EU Offensive Security Team via coordinated vulnerability disclosure.

Check out latest releases or
releases around lfnovo/open-notebook v1.8.3

Don't miss a new open-notebook release

NewReleases is sending notifications on new releases.

Get notifications