CVE-2014-3429
https://notcve.org/view.php?id=CVE-2014-3429
IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page. IPython Notebook 0.12 hasta 1.x anterior a 1.2 no valida el origen de las solicitudes de Websockets, lo que permite a atacantes remotos ejecutar código arbitrario mediante el aprovechamiento de conocimiento del kernel id y una página manipulada. • http://advisories.mageia.org/MGASA-2014-0320.html http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.html http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198 http://seclists.org/oss-sec/2014/q3/152 http://www.mandriva.com/security/advisories?name=MDVSA-2015:160 https://bugzilla.redhat.com/show_bug.cgi?id=1119890 https://exchange.xforce.ibmcloud.com/vulnerabilities/94497 https://github.com/ipython/ipyth • CWE-94: Improper Control of Generation of Code ('Code Injection') •