FKIE_CVE-2015-6938

Vulnerability from fkie_nvd - Published: 2015-09-21 19:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.
References
cve@mitre.orghttp://lists.fedoraproject.org/pipermail/package-announce/2015-September/166460.htmlThird Party Advisory
cve@mitre.orghttp://lists.fedoraproject.org/pipermail/package-announce/2015-September/166471.htmlThird Party Advisory
cve@mitre.orghttp://lists.fedoraproject.org/pipermail/package-announce/2015-September/167670.htmlThird Party Advisory
cve@mitre.orghttp://lists.opensuse.org/opensuse-updates/2015-10/msg00016.htmlThird Party Advisory
cve@mitre.orghttp://seclists.org/oss-sec/2015/q3/474
cve@mitre.orghttp://seclists.org/oss-sec/2015/q3/544Mailing List, Patch
cve@mitre.orghttps://bugzilla.redhat.com/show_bug.cgi?id=1259405Issue Tracking
cve@mitre.orghttps://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892Exploit
cve@mitre.orghttps://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677edExploit
cve@mitre.orghttps://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166460.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166471.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167670.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2015-10/msg00016.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/oss-sec/2015/q3/474
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/oss-sec/2015/q3/544Mailing List, Patch
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1259405Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892Exploit
af854a3a-2127-422b-91ae-364da2661108https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677edExploit
af854a3a-2127-422b-91ae-364da2661108https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3Issue Tracking, Patch
Impacted products
Vendor Product Version
jupyter notebook 4.0.0
jupyter notebook 4.0.1
jupyter notebook 4.0.2
jupyter notebook 4.0.3
jupyter notebook 4.0.4
fedoraproject fedora 21
fedoraproject fedora 22
fedoraproject fedora 23
opensuse opensuse 13.1
opensuse opensuse 13.2
ipython notebook *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jupyter:notebook:4.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "320F3B3D-9D14-4CD2-87F7-FE9096E1B85A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jupyter:notebook:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D41485D7-0A64-40CC-A784-3A2182CE830D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jupyter:notebook:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF025212-0295-4746-8506-7F287DE65D11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jupyter:notebook:4.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "16AA87BF-6CC1-48D3-AB8E-A73E8EFD1D1B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jupyter:notebook:4.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "6ADC5C96-5B64-47C8-A5B2-879F9E9BE2DA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
              "matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
              "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
              "matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ipython:notebook:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD264874-41FF-4357-82DF-0BB77DD3E1C1",
              "versionEndIncluding": "3.2.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name.  NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de XSS en el buscador de archivos en notebook/notebookapp.py en IPython Notebook en versiones anteriores a 3.2.2 y Jupyter Notebook 4.0.x en versiones anteriores a 4.0.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del nombre de una carpeta. NOTA: esta vulnerabilidad fue inicialmente reportada como (CSRF), pero esto puede ser incorrecto."
    }
  ],
  "id": "CVE-2015-6938",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2015-09-21T19:59:05.353",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166460.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166471.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167670.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00016.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://seclists.org/oss-sec/2015/q3/474"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Patch"
      ],
      "url": "http://seclists.org/oss-sec/2015/q3/544"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1259405"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166460.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166471.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167670.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00016.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/oss-sec/2015/q3/474"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch"
      ],
      "url": "http://seclists.org/oss-sec/2015/q3/544"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1259405"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.