CVE-2007-2383

NameCVE-2007-2383
DescriptionThe Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1952-1
NVD severitymedium (attack range: remote)
Debian Bugs555217, 555220, 555221, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555240, 555246, 555248, 555250, 555255, 555268, 555274, 558977
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
activeldap (PTS)squeeze1.2.2-1fixed
asterisk (PTS)squeeze, squeeze (security)1:1.6.2.9-2+squeeze12fixed
wheezy, wheezy (security)1:1.8.13.1~dfsg1-3+deb7u3fixed
stretch, jessie1:11.13.1~dfsg-2fixed
sid1:13.1.0~dfsg-1fixed
auth2db (PTS)squeeze0.2.5-2+dfsg-3fixed
wheezy0.2.5-2+dfsg-4fixed
stretch, sid, jessie0.2.5-2+dfsg-5fixed
ebug-http (PTS)squeeze0.31-2.1fixed
exaile (PTS)squeeze0.2.14+debian-2.3fixed
wheezy0.3.2.2-3fixed
jessie3.4.0.2-1fixed
stretch, sid3.4.5-1fixed
glpi (PTS)squeeze0.72.4-2.1fixed
wheezy0.83.31-1fixed
stretch, sid, jessie0.84.8+dfsg.1-1fixed
hobix (PTS)squeeze0.5~svn20070319-4fixed
jscropperui (PTS)squeeze1.2.1-2fixed
stretch, sid, jessie, wheezy1.2.2-1fixed
knowledgeroot (PTS)squeeze, wheezy0.9.9.5-6fixed
libaws (PTS)squeeze2.7-4fixed
wheezy2.10.2-4fixed
stretch, sid, jessie3.2.0-3fixed
libhtml-prototype-perl (PTS)squeeze, wheezy1.48-3fixed
jessie1.48-4fixed
stretch, sid1.48-5fixed
libjson-ruby (PTS)squeeze1.1.9-1fixed
squeeze (lts)1.1.9-1+deb6u1fixed
lucene2 (PTS)squeeze2.9.2+ds1-1fixed
stretch, sid, jessie, wheezy2.9.4+ds1-4fixed
mantis (PTS)squeeze (security)1.1.8+dfsg-10squeeze2fixed
wheezy1.2.11-1.2+deb7u1fixed
wheezy (security)1.2.18-1fixed
mediatomb (PTS)squeeze0.12.0~svn2018-6.1fixed
wheezy0.12.1-4fixed
sid0.12.1-7fixed
mt-daapd (PTS)squeeze0.9~r1696.dfsg-16fixed
op-panel (PTS)squeeze, sid, wheezy0.30~dfsg-3fixed
otrs2 (PTS)squeeze, squeeze (security)2.4.9+dfsg1-3+squeeze5fixed
wheezy3.1.7+dfsg1-8+deb7u4fixed
wheezy (security)3.1.7+dfsg1-8+deb7u5fixed
jessie3.3.9-3fixed
stretch4.0.8-1fixed
sid4.0.9-1fixed
poker-network (PTS)squeeze1.7.7-3.2fixed
prototypejs (PTS)squeeze1.6.1-1fixed
wheezy1.7.0-2fixed
stretch, sid, jessie1.7.1-3fixed
rt-extension-emailcompletion (PTS)squeeze0.06-3fixed
scriptaculous (PTS)squeeze1.8.3-1fixed
stretch, sid, jessie, wheezy1.9.0-2fixed
symfony (PTS)jessie2.3.21+dfsg-4fixed
jessie (security)2.3.21+dfsg-4+deb8u1fixed
stretch, sid2.7.1+dfsg-1fixed
webhelpers (PTS)squeeze1.1-1fixed
stretch, sid, jessie, wheezy1.3-4fixed
wordpress (PTS)squeeze, squeeze (security)3.6.1+dfsg-1~deb6u4fixed
squeeze (lts)3.6.1+dfsg-1~deb6u6fixed
wheezy3.6.1+dfsg-1~deb7u5fixed
wheezy (security)3.6.1+dfsg-1~deb7u6fixed
jessie (security), jessie4.1+dfsg-1+deb8u1fixed
stretch, sid4.2.2+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
activeldapsource(unstable)(not affected)
asterisksource(unstable)1:1.6.2.0~rc3-1low555220
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny1mediumDSA-1952-1
auth2dbsource(unstable)0.2.5-2+dfsg-1low555217
ebug-httpsource(unstable)0.31-2.1low555235
exailesource(unstable)(not affected)
glpisource(unstable)0.72.3-1low555228
hobixsource(unstable)0.5~svn20070319-4low555246
jscropperuisource(unstable)1.2.1-1low555255
knowledgerootsource(unstable)0.9.9.5-1low555229
knowledgerootsourcelenny(not affected)
libawssource(unstable)2.7-1low555221
libhtml-prototype-perlsource(unstable)1.48-3low558977
libjson-rubysource(unstable)(not affected)
lucene2source(unstable)2.9.1+ds1-2low555225
lucene2sourceetch(not affected)
mantissource(unstable)(not affected)
mediatombsource(unstable)0.11.0-3low555232
mt-daapdsource(unstable)0.9~r1696.dfsg-6low555231
op-panelsource(unstable)0.30~dfsg-1low555234
otrs2source(unstable)(not affected)
pixelpostsource(unstable)1.7.1-6low555248
plone3source(unstable)(unfixed)low555274
poker-networksource(unstable)1.7.6-1low555237
prototypejssource(unstable)(not affected)
qwiksource(unstable)(unfixed)low555240
rt-extension-emailcompletionsource(unstable)(not affected)
scriptaculoussource(unstable)(not affected)
symfonysource(unstable)1.0.21-1.1low555250
webcalendarsource(unstable)1.2~b1-2low555268
webcalendarsourcelenny(not affected)
webhelperssource(unstable)(not affected)
wesnothsource(unstable)(not affected)
wordpresssource(unstable)(not affected)

Notes

- prototypejs <not-affected> (fixed before initial upload)
[etch] - asterisk <no-dsa> (minor issue)
[lenny] - asterisk <no-dsa> (minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
- libjson-ruby <not-affected> (has prototype.js >= 1.5.1)
[etch] - lucene2 <not-affected> (prototype.js not present)
[lenny] - lucene2 <no-dsa> (minor issue)
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Uses the prototype.js copy from scriptaculous)
[etch] - mt-daapd <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers <not-affected> (fixed since initial inclusion)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
- wordpress <not-affected> (fixed since initial inclusion)
- exaile <not-affected> (fixed since initial inclusion)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (fixed since initial inclusion)
- scriptaculous <not-affected> (fixed since initial inclusion)
- activeldap <not-affected> (fixed since initial inclusion)
- mantis <not-affected> (fixed since initial inclusion)
- otrs2 <not-affected> (fixed since initial inclusion)
[lenny] - webcalendar <not-affected> (prototype.js not present)
- wesnoth <not-affected> (fixed since initial inclusion)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
This allows to steal data from affected websites. Therefore web applications should
only be considered vunerabile if they process confidential data.
The frameworks should be fixed in any case.

Search for package or bug name: Reporting problems