CVE-2007-2383

NameCVE-2007-2383
DescriptionThe Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1952-1
NVD severitymedium
Debian Bugs555217, 555220, 555221, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555240, 555246, 555248, 555250, 555255, 555268, 555274, 558977

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)stretch (security), stretch1:13.14.1~dfsg-2+deb9u4fixed
buster1:16.2.1~dfsg-1+deb10u2fixed
sid1:16.15.0~dfsg-1fixed
jscropperui (PTS)bullseye, sid, buster, stretch1.2.2-1fixed
libaws (PTS)stretch3.3.2-2fixed
buster19.0-2fixed
bullseye, sid20.0-2fixed
libhtml-prototype-perl (PTS)bullseye, sid, buster, stretch1.48-5fixed
lucene2 (PTS)stretch2.9.4+ds1-6fixed
otrs2 (PTS)buster/non-free6.0.16-2fixed
bullseye/non-free6.0.30-1fixed
sid/non-free6.0.30-2fixed
stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6fixed
prototypejs (PTS)bullseye, sid, buster, stretch1.7.1-3fixed
scriptaculous (PTS)bullseye, sid, buster, stretch1.9.0-2fixed
symfony (PTS)stretch (security), stretch2.8.7+dfsg-1.3+deb9u3fixed
buster, buster (security)3.4.22+dfsg-2+deb10u1fixed
bullseye, sid4.4.14+dfsg-1fixed
webhelpers (PTS)buster, stretch1.3-4fixed
wordpress (PTS)stretch4.7.5+dfsg-2+deb9u6fixed
stretch (security)4.7.19+dfsg-1+deb9u1fixed
buster5.0.10+dfsg1-0+deb10u1fixed
buster (security)5.0.11+dfsg1-0+deb10u1fixed
bullseye5.5.1+dfsg1-1fixed
sid5.5.3+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
activeldapsource(unstable)(not affected)
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny1DSA-1952-1
asterisksource(unstable)1:1.6.2.0~rc3-1low555220
auth2dbsource(unstable)0.2.5-2+dfsg-1low555217
ebug-httpsource(unstable)0.31-2.1low555235
exailesource(unstable)(not affected)
glpisource(unstable)0.72.3-1low555228
hobixsource(unstable)0.5~svn20070319-4low555246
jscropperuisource(unstable)1.2.1-1low555255
knowledgerootsourcelenny(not affected)
knowledgerootsource(unstable)0.9.9.5-1low555229
libawssource(unstable)2.7-1low555221
libhtml-prototype-perlsource(unstable)1.48-3low558977
libjson-rubysource(unstable)(not affected)
lucene2sourceetch(not affected)
lucene2source(unstable)2.9.1+ds1-2low555225
mantissource(unstable)(not affected)
mediatombsource(unstable)0.11.0-3low555232
mt-daapdsource(unstable)0.9~r1696.dfsg-6low555231
op-panelsource(unstable)0.30~dfsg-1low555234
otrs2source(unstable)(not affected)
pixelpostsource(unstable)1.7.1-6low555248
plone3source(unstable)(unfixed)low555274
poker-networksource(unstable)1.7.6-1low555237
prototypejssource(unstable)(not affected)
qwiksource(unstable)(unfixed)low555240
rt-extension-emailcompletionsource(unstable)(not affected)
scriptaculoussource(unstable)(not affected)
symfonysource(unstable)1.0.21-1.1low555250
webcalendarsourcelenny(not affected)
webcalendarsource(unstable)1.2~b1-2low555268
webhelperssource(unstable)(not affected)
wesnothsource(unstable)(not affected)
wordpresssource(unstable)(not affected)

Notes

- prototypejs <not-affected> (fixed before initial upload)
[etch] - asterisk <no-dsa> (minor issue)
[lenny] - asterisk <no-dsa> (minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
- libjson-ruby <not-affected> (has prototype.js >= 1.5.1)
[etch] - lucene2 <not-affected> (prototype.js not present)
[lenny] - lucene2 <no-dsa> (minor issue)
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Uses the prototype.js copy from scriptaculous)
[etch] - mt-daapd <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers <not-affected> (fixed since initial inclusion)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
- wordpress <not-affected> (fixed since initial inclusion)
- exaile <not-affected> (fixed since initial inclusion)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (fixed since initial inclusion)
- scriptaculous <not-affected> (fixed since initial inclusion)
- activeldap <not-affected> (fixed since initial inclusion)
- mantis <not-affected> (fixed since initial inclusion)
- otrs2 <not-affected> (fixed since initial inclusion)
[lenny] - webcalendar <not-affected> (prototype.js not present)
- wesnoth <not-affected> (fixed since initial inclusion)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
This allows to steal data from affected websites. Therefore web applications should
only be considered vunerabile if they process confidential data.
The frameworks should be fixed in any case.

Search for package or bug name: Reporting problems