CVE-2007-2383

NameCVE-2007-2383
DescriptionThe Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
SourceCVE (at NVD; LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1952-1
NVD severitymedium (attack range: remote)
Debian Bugs555217, 555220, 555221, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555240, 555246, 555248, 555250, 555255, 555268, 555274, 558977

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)wheezy1:1.8.13.1~dfsg1-3+deb7u3fixed
wheezy (security)1:1.8.13.1~dfsg1-3+deb7u4fixed
jessie1:11.13.1~dfsg-2fixed
stretch, sid1:13.8.2~dfsg-1fixed
auth2db (PTS)wheezy0.2.5-2+dfsg-4fixed
sid, jessie0.2.5-2+dfsg-5fixed
exaile (PTS)wheezy0.3.2.2-3fixed
jessie3.4.0.2-1fixed
glpi (PTS)wheezy0.83.31-1fixed
sid, jessie0.84.8+dfsg.1-1fixed
jscropperui (PTS)stretch, sid, jessie, wheezy1.2.2-1fixed
knowledgeroot (PTS)wheezy0.9.9.5-6fixed
libaws (PTS)wheezy2.10.2-4fixed
jessie3.2.0-3fixed
stretch3.2.0-4fixed
sid3.3.2-1fixed
libhtml-prototype-perl (PTS)wheezy1.48-3fixed
jessie1.48-4fixed
stretch, sid1.48-5fixed
lucene2 (PTS)jessie, wheezy2.9.4+ds1-4fixed
stretch, sid2.9.4+ds1-5fixed
mantis (PTS)wheezy (security), wheezy1.2.18-1fixed
mediatomb (PTS)wheezy0.12.1-4+deb7u1fixed
stretch, sid0.12.1-47-g7ab7616-1fixed
op-panel (PTS)wheezy0.30~dfsg-3fixed
otrs2 (PTS)wheezy (security), wheezy3.1.7+dfsg1-8+deb7u5fixed
jessie3.3.9-3fixed
stretch, sid5.0.10-1fixed
prototypejs (PTS)wheezy1.7.0-2fixed
stretch, sid, jessie1.7.1-3fixed
scriptaculous (PTS)stretch, sid, jessie, wheezy1.9.0-2fixed
symfony (PTS)jessie2.3.21+dfsg-4+deb8u2fixed
jessie (security)2.3.21+dfsg-4+deb8u3fixed
stretch, sid2.8.6+dfsg-1fixed
webhelpers (PTS)stretch, sid, jessie, wheezy1.3-4fixed
wordpress (PTS)wheezy (security), wheezy3.6.1+dfsg-1~deb7u10fixed
jessie (security), jessie4.1+dfsg-1+deb8u8fixed
stretch, sid4.5.2+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
activeldapsource(unstable)(not affected)
asterisksource(unstable)1:1.6.2.0~rc3-1low555220
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny1mediumDSA-1952-1
auth2dbsource(unstable)0.2.5-2+dfsg-1low555217
ebug-httpsource(unstable)0.31-2.1low555235
exailesource(unstable)(not affected)
glpisource(unstable)0.72.3-1low555228
hobixsource(unstable)0.5~svn20070319-4low555246
jscropperuisource(unstable)1.2.1-1low555255
knowledgerootsource(unstable)0.9.9.5-1low555229
knowledgerootsourcelenny(not affected)
libawssource(unstable)2.7-1low555221
libhtml-prototype-perlsource(unstable)1.48-3low558977
libjson-rubysource(unstable)(not affected)
lucene2source(unstable)2.9.1+ds1-2low555225
lucene2sourceetch(not affected)
mantissource(unstable)(not affected)
mediatombsource(unstable)0.11.0-3low555232
mt-daapdsource(unstable)0.9~r1696.dfsg-6low555231
op-panelsource(unstable)0.30~dfsg-1low555234
otrs2source(unstable)(not affected)
pixelpostsource(unstable)1.7.1-6low555248
plone3source(unstable)(unfixed)low555274
poker-networksource(unstable)1.7.6-1low555237
prototypejssource(unstable)(not affected)
qwiksource(unstable)(unfixed)low555240
rt-extension-emailcompletionsource(unstable)(not affected)
scriptaculoussource(unstable)(not affected)
symfonysource(unstable)1.0.21-1.1low555250
webcalendarsource(unstable)1.2~b1-2low555268
webcalendarsourcelenny(not affected)
webhelperssource(unstable)(not affected)
wesnothsource(unstable)(not affected)
wordpresssource(unstable)(not affected)

Notes

- prototypejs <not-affected> (fixed before initial upload)
[etch] - asterisk <no-dsa> (minor issue)
[lenny] - asterisk <no-dsa> (minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
- libjson-ruby <not-affected> (has prototype.js >= 1.5.1)
[etch] - lucene2 <not-affected> (prototype.js not present)
[lenny] - lucene2 <no-dsa> (minor issue)
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Uses the prototype.js copy from scriptaculous)
[etch] - mt-daapd <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers <not-affected> (fixed since initial inclusion)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
- wordpress <not-affected> (fixed since initial inclusion)
- exaile <not-affected> (fixed since initial inclusion)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (fixed since initial inclusion)
- scriptaculous <not-affected> (fixed since initial inclusion)
- activeldap <not-affected> (fixed since initial inclusion)
- mantis <not-affected> (fixed since initial inclusion)
- otrs2 <not-affected> (fixed since initial inclusion)
[lenny] - webcalendar <not-affected> (prototype.js not present)
- wesnoth <not-affected> (fixed since initial inclusion)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
This allows to steal data from affected websites. Therefore web applications should
only be considered vunerabile if they process confidential data.
The frameworks should be fixed in any case.

Search for package or bug name: Reporting problems