GHSA-4vwq-x64q-j4cj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4vwq-x64q-j4cj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4vwq-x64q-j4cj/GHSA-4vwq-x64q-j4cj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4vwq-x64q-j4cj
- Aliases
- Published
- 2022-05-14T02:04:49Z
- Modified
- 2024-09-23T17:27:49.131389Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Improper Neutralization of Input During Web Page Generation in Jupyter Notebook
- Details
-
Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.
- Database specific
{ "nvd_published_at": "2015-09-21T19:59:00Z", "severity": "MODERATE", "github_reviewed_at": "2022-07-06T20:10:16Z", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-6938
- https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892
- https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed
- https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3
- https://bugzilla.redhat.com/show_bug.cgi?id=1259405
- https://github.com/advisories/GHSA-4vwq-x64q-j4cj
- https://github.com/pypa/advisory-database/tree/main/vulns/ipython/PYSEC-2015-24.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2015-26.yaml
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166460.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166471.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167670.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00016.html
- http://seclists.org/oss-sec/2015/q3/474
- http://seclists.org/oss-sec/2015/q3/544
Affected packages
PyPI / notebook
Package
- Name
- notebook
- View open source insights on deps.dev
- Purl
- pkg:pypi/notebook
PyPI / ipython
Package
- Name
- ipython
- View open source insights on deps.dev
- Purl
- pkg:pypi/ipython
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.2.2
Affected versions
0.*
0.7.1.fix1
0.7.4.svn.r2010
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.15
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9
0.9.1
0.10
0.10.1
0.10.2
0.11
0.12
0.12.1
0.13
0.13.1
0.13.2
1.*
1.0.0
1.1.0
1.2.0
1.2.1
2.*
2.0.0
2.1.0
2.2.0
2.3.0
2.3.1
2.4.0
2.4.1
3.*
3.0.0
3.1.0
3.2.0
3.2.1