CVE-2007-2383

NameCVE-2007-2383
DescriptionThe Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1952-1
Debian Bugs555217, 555220, 555221, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555240, 555246, 555248, 555250, 555255, 555268, 555274, 558977

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)buster1:16.2.1~dfsg-1+deb10u2fixed
buster (security)1:16.28.0~dfsg-0+deb10u4fixed
bullseye1:16.28.0~dfsg-0+deb11u3fixed
bullseye (security)1:16.28.0~dfsg-0+deb11u4fixed
sid1:20.6.0~dfsg+~cs6.13.40431414-2fixed
exaile (PTS)trixie4.1.3+dfsg-2fixed
sid4.1.3+dfsg-3fixed
jscropperui (PTS)buster1.2.2-1fixed
bookworm, bullseye1.2.2-1.1fixed
sid, trixie1.2.2-2fixed
libaws (PTS)buster19.0-2fixed
bullseye, sid20.2-2fixed
libhtml-prototype-perl (PTS)buster1.48-5fixed
bullseye1.48-5.1fixed
bookworm, sid, trixie1.48-6fixed
otrs2 (PTS)buster/non-free6.0.16-2fixed
buster/non-free (security)6.0.16-2+deb10u1fixed
bullseye/non-free6.0.32-6fixed
prototypejs (PTS)buster1.7.1-3fixed
bullseye1.7.1-3.1fixed
bookworm, sid, trixie1.7.3-1fixed
scriptaculous (PTS)buster1.9.0-2fixed
bullseye1.9.0-2.1fixed
bookworm, sid, trixie1.9.0-3fixed
symfony (PTS)buster3.4.22+dfsg-2+deb10u1fixed
buster (security)3.4.22+dfsg-2+deb10u3fixed
bullseye4.4.19+dfsg-2+deb11u4fixed
bookworm5.4.23+dfsg-1+deb12u1fixed
sid, trixie6.4.5+dfsg-4fixed
webhelpers (PTS)buster1.3-4fixed
wordpress (PTS)buster5.0.15+dfsg1-0+deb10u1fixed
buster (security)5.0.21+dfsg1-0+deb10u1fixed
bullseye (security), bullseye5.7.8+dfsg1-0+deb11u2fixed
bookworm6.1.1+dfsg1-1fixed
sid, trixie6.4.3+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
activeldapsource(unstable)(not affected)
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny1DSA-1952-1
asterisksource(unstable)1:1.6.2.0~rc3-1low555220
auth2dbsource(unstable)0.2.5-2+dfsg-1low555217
ebug-httpsource(unstable)0.31-2.1low555235
exailesource(unstable)(not affected)
glpisource(unstable)0.72.3-1low555228
hobixsource(unstable)0.5~svn20070319-4low555246
jscropperuisource(unstable)1.2.1-1low555255
knowledgerootsourcelenny(not affected)
knowledgerootsource(unstable)0.9.9.5-1low555229
libawssource(unstable)2.7-1low555221
libhtml-prototype-perlsource(unstable)1.48-3low558977
libjson-rubysource(unstable)(not affected)
lucene2sourceetch(not affected)
lucene2source(unstable)2.9.1+ds1-2low555225
mantissource(unstable)(not affected)
mediatombsource(unstable)0.11.0-3low555232
mt-daapdsource(unstable)0.9~r1696.dfsg-6low555231
op-panelsource(unstable)0.30~dfsg-1low555234
otrs2source(unstable)(not affected)
pixelpostsource(unstable)1.7.1-6low555248
plone3source(unstable)(unfixed)low555274
poker-networksource(unstable)1.7.6-1low555237
prototypejssource(unstable)(not affected)
qwiksource(unstable)(unfixed)low555240
rt-extension-emailcompletionsource(unstable)(not affected)
scriptaculoussource(unstable)(not affected)
symfonysource(unstable)1.0.21-1.1low555250
webcalendarsourcelenny(not affected)
webcalendarsource(unstable)1.2~b1-2low555268
webhelperssource(unstable)(not affected)
wesnothsource(unstable)(not affected)
wordpresssource(unstable)(not affected)

Notes

- prototypejs <not-affected> (fixed before initial upload)
[etch] - asterisk <no-dsa> (minor issue)
[lenny] - asterisk <no-dsa> (minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
- libjson-ruby <not-affected> (has prototype.js >= 1.5.1)
[etch] - lucene2 <not-affected> (prototype.js not present)
[lenny] - lucene2 <no-dsa> (minor issue)
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Uses the prototype.js copy from scriptaculous)
[etch] - mt-daapd <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers <not-affected> (fixed since initial inclusion)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
- wordpress <not-affected> (fixed since initial inclusion)
- exaile <not-affected> (fixed since initial inclusion)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (fixed since initial inclusion)
- scriptaculous <not-affected> (fixed since initial inclusion)
- activeldap <not-affected> (fixed since initial inclusion)
- mantis <not-affected> (fixed since initial inclusion)
- otrs2 <not-affected> (fixed since initial inclusion)
[lenny] - webcalendar <not-affected> (prototype.js not present)
- wesnoth <not-affected> (fixed since initial inclusion)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
This allows to steal data from affected websites. Therefore web applications should
only be considered vunerabile if they process confidential data.
The frameworks should be fixed in any case.

Search for package or bug name: Reporting problems