CVE-2023-24816 – set_term_title command injection in ipython
https://notcve.org/view.php?id=CVE-2023-24816
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function `IPython.utils.terminal.set_term_title` be called on Windows in a Python environment where ctypes is not available. The dependency on `ctypes` in `IPython.utils._process_win32` prevents the vulnerable code from ever being reached in the ipython binary. • https://github.com/ipython/ipython/blob/3f0bf05f072a91b2a3042d23ce250e5e906183fd/IPython/utils/terminal.py#L103-L117 https://github.com/ipython/ipython/blob/56e6925dfa50e2c7f4a6471547b8176275db7c25/IPython/utils/_process_win32.py#L20 https://github.com/ipython/ipython/commit/385d69325319a5972ee9b5983638e3617f21cb1f https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7 • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2022-21699 – Execution with Unnecessary Privileges in ipython
https://notcve.org/view.php?id=CVE-2022-21699
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade. IPython (Interactive Python) es un shell de comandos para la computación interactiva en múltiples lenguajes de programación, desarrollado originalmente para el lenguaje de programación Python. • https://github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede5668 https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699 https://lists.debian.org/debian-lts-announce/2022/01/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRQRTWHYXMLDJ572VGVUZMUPEOTPM3KB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/m • CWE-250: Execution with Unnecessary Privileges CWE-269: Improper Privilege Management CWE-279: Incorrect Execution-Assigned Permissions •
CVE-2015-4706
https://notcve.org/view.php?id=CVE-2015-4706
Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/contents path. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en las versiones 3.x de IPython anteriores a la 3.2 permite que atacantes remotos inyecten scripts web o HTML mediante vectores que implican mensajes de error JSON y la ruta /api/contents. • http://www.openwall.com/lists/oss-security/2015/06/22/7 http://www.securityfocus.com/bid/75328 https://bugzilla.redhat.com/show_bug.cgi?id=1235688 https://github.com/ipython/ipython/commit/7222bd53ad089a65fd610fab4626f9d0ab47dfce https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb549c https://ipython.org/ipython-doc/3/whatsnew/version3.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-4707
https://notcve.org/view.php?id=CVE-2015-4707
Cross-site scripting (XSS) vulnerability in IPython before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/notebooks path. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en IPython en versiones anteriores a la 3.2 permite que atacantes remotos inyecten scripts web o HTML mediante vectores relacionados con mensajes de error JSON y la ruta /api/notebooks. • http://www.openwall.com/lists/oss-security/2015/06/22/7 http://www.securityfocus.com/bid/75328 https://bugzilla.redhat.com/show_bug.cgi?id=1235688 https://github.com/ipython/ipython/commit/7222bd53ad089a65fd610fab4626f9d0ab47dfce https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb549c https://ipython.org/ipython-doc/3/whatsnew/version3.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5607
https://notcve.org/view.php?id=CVE-2015-5607
Cross-site request forgery in the REST API in IPython 2 and 3. Existe una vulnerabillidad de tipo Cross-Site Request Forgery (CSRF) en IPython 2 y 3. • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162671.html http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162936.html http://www.openwall.com/lists/oss-security/2015/07/21/3 https://bugzilla.redhat.com/show_bug.cgi?id=1243842 https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816 https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 • CWE-352: Cross-Site Request Forgery (CSRF) •