8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.9%
JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack (CVE-2015-4707). POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery (CSRF). Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user’s browser will automatically send IPython cookies along with the requests. The response is blocked by the Same-Origin Policy, but the request isn’t (CVE-2015-5607). The Mageia 5 package has been patched to fix these issues. The Mageia 4 package wasn’t vulnerable to CVE-2015-4707, but it has been updated and patched to fix CVE-2015-5607.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 4 | noarch | ipython | < 2.3.0-1 | ipython-2.3.0-1.mga4 |
Mageia | 5 | noarch | ipython | < 2.3.0-2.2 | ipython-2.3.0-2.2.mga5 |
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.9%