Moderate severityNVD Advisory· Published Sep 21, 2015· Updated Jun 17, 2026
CVE-2015-6938
CVE-2015-6938
Description
Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
notebookPyPI | >= 4.0.0, < 4.0.5 | 4.0.5 |
ipythonPyPI | < 3.2.2 | 3.2.2 |
Affected products
13cpe:2.3:a:jupyter:notebook:4.0.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:jupyter:notebook:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:jupyter:notebook:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:jupyter:notebook:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:jupyter:notebook:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:jupyter:notebook:4.0.4:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
- ghsa-coords2 versions
< 3.2.2+ 1 more
- (no CPE)range: < 3.2.2
- (no CPE)range: >= 4.0.0, < 4.0.5
Patches
Vulnerability mechanics
References
14- seclists.org/oss-sec/2015/q3/544nvdMailing ListPatchWEB
- github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3nvdIssue TrackingPatchWEB
- github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892nvdExploitWEB
- github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ednvdExploitWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-September/166460.htmlnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-September/166471.htmlnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-September/167670.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2015-10/msg00016.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-4vwq-x64q-j4cjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-6938ghsaADVISORY
- seclists.org/oss-sec/2015/q3/474nvdWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingWEB
- github.com/pypa/advisory-database/tree/main/vulns/ipython/PYSEC-2015-24.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2015-26.yamlghsaWEB
News mentions
0No linked articles in our index yet.