CVE-2007-2383

Name	CVE-2007-2383
Description	The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1952-1
Debian Bugs	555217, 555220, 555221, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555240, 555246, 555248, 555250, 555255, 555268, 555274, 558977

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
asterisk (PTS)	bullseye	1:16.28.0~dfsg-0+deb11u4	fixed
	bullseye (security)	1:16.28.0~dfsg-0+deb11u8	fixed
	sid	1:22.5.2~dfsg+~cs6.15.60671435-1	fixed
exaile (PTS)	trixie	4.1.4~beta1+dfsg-1	fixed
	forky, sid	4.1.4+dfsg-1	fixed
jscropperui (PTS)	bookworm, bullseye	1.2.2-1.1	fixed
	forky, sid, trixie	1.2.2-2	fixed
libaws (PTS)	bullseye	20.2-2	fixed
	bullseye (security)	20.2-2+deb11u1	fixed
libhtml-prototype-perl (PTS)	bullseye	1.48-5.1	fixed
	forky, sid, bookworm, trixie	1.48-6	fixed
otrs2 (PTS)	bullseye/non-free	6.0.32-6	fixed
prototypejs (PTS)	bullseye	1.7.1-3.1	fixed
	bookworm	1.7.3-1	fixed
	forky, sid, trixie	1.7.3-2	fixed
scriptaculous (PTS)	bullseye	1.9.0-2.1	fixed
	bookworm	1.9.0-3	fixed
	forky, sid, trixie	1.9.0-4	fixed
symfony (PTS)	bullseye	4.4.19+dfsg-2+deb11u6	fixed
	bullseye (security)	4.4.19+dfsg-2+deb11u7	fixed
	bookworm, bookworm (security)	5.4.23+dfsg-1+deb12u4	fixed
	trixie	6.4.21+dfsg-2	fixed
	forky, sid	6.4.25+dfsg-1	fixed
wordpress (PTS)	bullseye (security), bullseye	5.7.11+dfsg1-0+deb11u1	fixed
	bookworm, bookworm (security)	6.1.6+dfsg1-0+deb12u1	fixed
	trixie	6.8.1+dfsg1-1	fixed
	forky, sid	6.8.3+dfsg1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
activeldap	source	(unstable)	(not affected)
asterisk	source	lenny	1:1.4.21.2~dfsg-3+lenny1		DSA-1952-1
asterisk	source	(unstable)	1:1.6.2.0~rc3-1	low		555220
auth2db	source	(unstable)	0.2.5-2+dfsg-1	low		555217
ebug-http	source	(unstable)	0.31-2.1	low		555235
exaile	source	(unstable)	(not affected)
glpi	source	(unstable)	0.72.3-1	low		555228
hobix	source	(unstable)	0.5~svn20070319-4	low		555246
jscropperui	source	(unstable)	1.2.1-1	low		555255
knowledgeroot	source	lenny	(not affected)
knowledgeroot	source	(unstable)	0.9.9.5-1	low		555229
libaws	source	(unstable)	2.7-1	low		555221
libhtml-prototype-perl	source	(unstable)	1.48-3	low		558977
libjson-ruby	source	(unstable)	(not affected)
lucene2	source	etch	(not affected)
lucene2	source	(unstable)	2.9.1+ds1-2	low		555225
mantis	source	(unstable)	(not affected)
mediatomb	source	(unstable)	0.11.0-3	low		555232
mt-daapd	source	(unstable)	0.9~r1696.dfsg-6	low		555231
op-panel	source	(unstable)	0.30~dfsg-1	low		555234
otrs2	source	(unstable)	(not affected)
pixelpost	source	(unstable)	1.7.1-6	low		555248
plone3	source	(unstable)	(unfixed)	low		555274
poker-network	source	(unstable)	1.7.6-1	low		555237
prototypejs	source	(unstable)	(not affected)
qwik	source	(unstable)	(unfixed)	low		555240
rt-extension-emailcompletion	source	(unstable)	(not affected)
scriptaculous	source	(unstable)	(not affected)
symfony	source	(unstable)	1.0.21-1.1	low		555250
webcalendar	source	lenny	(not affected)
webcalendar	source	(unstable)	1.2~b1-2	low		555268
webhelpers	source	(unstable)	(not affected)
wesnoth	source	(unstable)	(not affected)
wordpress	source	(unstable)	(not affected)

Notes

- prototypejs <not-affected> (fixed before initial upload)
[etch] - asterisk <no-dsa> (minor issue)
[lenny] - asterisk <no-dsa> (minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
- libjson-ruby <not-affected> (has prototype.js >= 1.5.1)
[etch] - lucene2 <not-affected> (prototype.js not present)
[lenny] - lucene2 <no-dsa> (minor issue)
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Uses the prototype.js copy from scriptaculous)
[etch] - mt-daapd <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers <not-affected> (fixed since initial inclusion)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
- wordpress <not-affected> (fixed since initial inclusion)
- exaile <not-affected> (fixed since initial inclusion)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (fixed since initial inclusion)
- scriptaculous <not-affected> (fixed since initial inclusion)
- activeldap <not-affected> (fixed since initial inclusion)
- mantis <not-affected> (fixed since initial inclusion)
- otrs2 <not-affected> (fixed since initial inclusion)
[lenny] - webcalendar <not-affected> (prototype.js not present)
- wesnoth <not-affected> (fixed since initial inclusion)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
This allows to steal data from affected websites. Therefore web applications should
only be considered vunerabile if they process confidential data.
The frameworks should be fixed in any case.