JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| jupyterhub(PyPI) | 0 | 1.2.0b1 | N/A |
CVSS Metrics
