CVE-2015-7337

Advisory

The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7337
• https://github.com/jupyter/notebook/commit/9e63dd89b603dfbe3a7e774d8a962ee0fa30c0b5
• https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967
• http://seclists.org/oss-sec/2015/q3/558
• http://seclists.org/oss-sec/2015/q3/634
• http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167670.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1264067
• https://security.gentoo.org/glsa/201512-02