Leaking Jupyter instance auth token chaining CVE-2023-39968, CVE-2024-22421 and a chromium bug

After getting an invitation to Jupyter’s private (then public and now not active anymore) program on Intigriti I decided to dig into its codebase. Spending a few hours I found a client side path traversal issue chaining which with an open redirect and a chromium issue, I was able to leak Jupyterlab’s authentication and csrf tokens.

From Intigriti challenge to a Vue.js script gadget

Intigiriti’s November challenge by IvarsVids was about a Vue.js one-pager that reflected user input with some replacements. After visiting the challenge homepage at https://challenge-1121.intigriti.io/ we quickly notice it reflects s query parameter not escaping HTML less than and greater than signs resulting in HTML injection.