FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
290351c9-6f5c-11e5-a2a1-002590263bf5devel/ipython -- multiple vulnerabilities

Matthias Bussonnier reports:

Summary: Local folder name was used in HTML templates without escaping, allowing XSS in said pages by carefully crafting folder name and URL to access it.

URI with issues:

  • GET /tree/**

Benjamin RK reports:

Vulnerability: A maliciously forged file opened for editing can execute javascript, specifically by being redirected to /files/ due to a failure to treat the file as plain text.

URI with issues:

  • GET /edit/**

Discovery 2015-09-01
Entry 2015-10-10
ipython
< 3.2.2

ports/203668
CVE-2015-6938
CVE-2015-7337
http://www.openwall.com/lists/oss-security/2015/09/02/3
https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892
http://www.openwall.com/lists/oss-security/2015/09/16/3
https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967
81326883-2905-11e5-a4a5-002590263bf5devel/ipython -- CSRF possible remote execution vulnerability

Kyle Kelley reports:

Summary: POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery (CSRF). Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user's browser will automatically send IPython cookies along with the requests. The response is blocked by the Same-Origin Policy, but the request isn't.

API paths with issues:

  • POST /api/contents//
  • POST /api/contents///checkpoints
  • POST /api/contents///checkpoints/
  • POST /api/kernels
  • POST /api/kernels//
  • POST /api/sessions
  • POST /api/clusters//

Discovery 2015-07-12
Entry 2015-07-13
Modified 2015-07-22
ipython
ge 0.12 lt 3.2.1

CVE-2015-5607
http://seclists.org/oss-sec/2015/q3/92
http://ipython.org/ipython-doc/3/whatsnew/version3.html#ipython-3-2-1
a4460ac7-192c-11e5-9c01-bcaec55be5e5devel/ipython -- remote execution

Kyle Kelley reports:

Summary: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack. This affects users on Mozilla Firefox but not Chromium/Google Chrome.

API paths with issues:

  • /api/contents (3.0-3.1)
  • /api/notebooks (2.0-2.4, 3.0-3.1)

Discovery 2015-06-22
Entry 2015-06-22
ipython
< 3.2.0

CVE-2015-4706
CVE-2015-4707
http://seclists.org/oss-sec/2015/q2/779