IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.
https://github.com/ipython/ipython/pull/4845
https://exchange.xforce.ibmcloud.com/vulnerabilities/94497
https://bugzilla.redhat.com/show_bug.cgi?id=1119890
http://seclists.org/oss-sec/2014/q3/152
http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.html
http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython